Intel Gigabit NIC Packet of Death 137
An anonymous reader sends this quote from a blog post about a very odd technical issue and some clever debugging:
"Packets of death. I started calling them that because that’s exactly what they are. ... This customer location, for some reason or another, could predictably bring down the ethernet controller with voice traffic on their network. Let me elaborate on that for a second. When I say “bring down” an ethernet controller I mean BRING DOWN an ethernet controller. The system and ethernet interfaces would appear fine and then after a random amount of traffic the interface would report a hardware error (lost communication with PHY) and lose link. Literally the link lights on the switch and interface would go out. It was dead. Nothing but a power cycle would bring it back. ... While debugging with this very patient reseller I started stopping the packet captures as soon as the interface dropped. Eventually I caught on to a pattern: the last packet out of the interface was always a 100 Trying provisional response, and it was always a specific length. Not only that, I ended up tracing this (Asterisk) response to a specific phone manufacturer’s INVITE. ... With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death — and kill client machines behind firewalls!"
Ouch (Score:5, Insightful)
I think an actual summary would have been a vast improvement over TFS.
Re: (Score:2)
The summary is pretty much word-for-word copy-pasta from his blog.. ..minus any of the useful formatting.
Re:Ouch (Score:5, Insightful)
It's pretty bad even by slashdot standards:
'Let me elaborate on that for a second. When I say “bring down” an ethernet controller I mean BRING DOWN an ethernet controller.'
This statement is worse than useless, it's a waste of space and a waste of your time to read it (I'm sorry I quoted it). The next sentence is okay but then they go back to 'Literally the link lights on the switch and interface would go out. It was dead.'
Literally, this is a waste of the word literally. And it being dead was implied by everything stated above. The rest is informative but still in a conversational style that makes it hard to read, and it's lacking in details such as:
What model of Ethernet controller was tested. What Firmware version are they using? Has the problem been reported to Intel?
Re:Ouch (Score:4, Informative)
Re:Ouch (Score:5, Funny)
Then GP's on the wrong site. Here at slashdot, we're proud of our editors' inability and unwillingness to do anything that could actually be described as editing. Cuz writin' good isn't sumpin' real nurdz car about. U shld just B glad it ain't all writ in 1337-5p34|<, and STFU, n00b!
At least, that's the impression I've always had of what the so-called "editors" seem to believe. :)
Re: (Score:1)
tl;dr
Re:Ouch (Score:5, Informative)
What model of Ethernet controller was tested. What Firmware version are they using? Has the problem been reported to Intel?
I realize you found the article difficult to read, but it wasn't that long. 2/3 of your questions were addressed in the article.
Re: (Score:3)
What model of Ethernet controller was tested. What Firmware version are they using? Has the problem been reported to Intel?
I realize you found the article difficult to read, but it wasn't that long. 2/3 of your questions were addressed in the article.
It's Slashdot. Most people don't even read the whole summary before asking questions like that.
Re:Ouch (Score:5, Funny)
Less /. bashing more Intel bashing please.
Re: (Score:1)
Intel needs to be bashed imo. They had that recent Core CPU bug, this network bug and they are ending buying the Mobo/CPU separate. And you see those articles everywhere and AMD has yelled at the top of their lungs that AMD isn't doing that and will offer the same things to enthusiasts building their own boards. I don't know why people act like Intel is the be all end all, they are definitely not; yet the articles fail to mention that. Absolutely not a thing wrong with AMD components.
Re: (Score:2)
Most people do not read the TITLE of the article before they start to bash. Never mind the summary.
no public fix (Score:3)
Too bad Intel gave a fix to them (a fix they ultimately couldn't use), but hasn't to anyone else.
Too bad Intel has also apparently known about the problem for months now.
"Intel has been aware of this issue for several months. They also have a fix. However, they haven't publicized it because they don't know how widespread it is."
Bullshit. I bet they were hoping to very quietly roll it into a driver update and have it all go away.
Re: (Score:3)
Re: (Score:2)
I don't think it is too bad. I'm going to use this for the router log in screen and expose it to the world.
Imagine how many script kiddies and infected drones will go down when they probe my ports and try to connect. I can imagine the look on their faces when they lose connection for trying to "hack" into someone's network.
Re: (Score:3)
Bullshit. I bet they were hoping to very quietly roll it into a driver update and have it all go away.
Yes, that would be ideal for everyone. If it just silently went away, that also means it wasn't much of a problem ... that means it didn't get used as a massive exploit. Thats good.
There is no scenario where 'going away' is a bad thing, unless you're just all angsty and looking for a reason to tell 'the man' how much he sucks.
Re: (Score:2)
82574L was the Intel NIC.
I'm surprised that Intel NICs are held in such high regard, yet there are some really detrimental bugs.
CSB:
I just bought a three port daughterboard for a Jetway ITX mobo I am planning on using as a pfSense FW. Their Gen2 daughterboard uses this chip, but thankfully I didn't spend the extra $50 on the Gen2 compatible board and went with a Gen1 that uses 82541PI. Hopefully that one doesn't have the same issue.
Re: (Score:1)
The 82541 has worse bugs and worse performance. Besides, the 82574L is used instead of the RealTek RTL 81xx and its ilk. The RTL81xx crap is MUCH worse, as it is unfixable: slow, dumb, and requires severe performance reducing measures that dumbs it down to fastethernet-like levels of hardware assistance to even survive without causing rogue pci master transactions (aka rogue DMA over whatever is after the packet buffer), you cannot even use that RTL LOM NIC with jumbo frames without risking PCIe stalls eve
Re:Ouch (Score:5, Informative)
Intel NIC's are held in high regard because a) they are fixed when a problem is found, and b) the bugs are documented.
You should have a look through some of the CPU errata on Intel's site. it'll open your eyes as to just how many bugs a desktop CPU has even once it's shipped
Re: (Score:3)
Too bad 3com isn't around any more. Well, not in any meaningful way. They used to rock this world.
This is why the equipment should be heterogeneous (Score:4, Insightful)
Whether it's your brand of switch, motherboard or even memory, never have the same across all machines if you can help it. The only time I'd recommend the same brand would be hard drives (due to concurrency issues), but then at least try go get them from different batches. If your lot of mobos will only handle one brand of memory for whatever reason even when cas latency is identical, then have two machines doing whatever it is you need to be doing.
One kind of anything makes it easier to kill you swiftly in the end, whether it's by a ping of death or a biological disease.
Re: (Score:3, Informative)
Agreed. OP clearly has no experience managing large server installations.
Re: (Score:1)
"Over specialize and you breed in weakness"
- Major Kusanagi Motoko
Re: (Score:1)
Re: (Score:2)
Re: (Score:1, Funny)
if ($uid -ge 1000000) || ($uid == "Anonymous Coward"; then /dev/null
cat $foo >
else
cat $foo > $file
fi
Re: (Score:2)
line 2: -ge: command not found
with $uid set to 1000001:
line 2: 1000001: command not found
The condition is always false and the user never goes the /dev/null
I guess you need to use brackets, in bash at least...
Re: (Score:2)
line 2: -ge: command not found
with $uid set to 1000001:
line 2: 1000001: command not found
The condition is always false and the user never goes the /dev/null
I guess you need to use brackets, in bash at least...
You're right, but bash doesn't even enter the picture: /usr/bin/[
$ ls -l `which [`
-rwxr-xr-x 1 root root 35264 Nov 20 06:25
The program is called [ and it complains if its last argument is not a ], so you need the square brackets no matter which shell you use.
Re: (Score:2)
Was just end of day, I'm totally checked out pseudo code- relax gents. But I should have known better if I was to be snarky in bash:
if [ $uid -ge 1000000 ] || [ $uid == "Anonymous Coward" ]; then /dev/null
cat $foo >
else
$foo > $file
fi
Re: (Score:2)
the second condition should probably be another variable too like $uid_cn or such.
Re: (Score:2)
And while it's tempting to write ==, it should be just a =
I'm won't admit how many years of unix/linux it took for me to notice that, that few shells bother to complain about it.
Re: (Score:2)
Make sense, I always wondered why you needed spaces after the [ and before the ]. Make sense if they are program arguments. Good one !
But in realty, bracket support has been built into bash for eons mostly for optimization purposes. It is the case for other functionalities where the legacy executable is still present on the system but not needed.
~# which [ /usr/bin/[ /usr/bin/ttt /usr/bin/ttt: No such file or directory /usr/bin/[ /usr/bin/ttt
~# ls
ls: cannot access
~# mv
~# which [
~# if [ 1 = 1 ] ; then echo t
Re:This is why the equipment should be heterogeneo (Score:5, Interesting)
One kind of thing makes it a zillion times easier to recognize a problem when it crops up, and makes it so you only ever have to troubleshoot an issue once.
How much more awful would it be if something similar happened next week on more computers, and he had to troubleshoot it all over again-- not even knowing whether the machines had NICs in common?
"Everything blew up" is a problem. "Everything blew up, I dont know why, and it will take 3 weeks to find a solution" is a huge problem. "Everything blew up AGAIN, and I it will take another 3 weeks because our environment is heterogenous" means you are out of a job.
Re:This is why the equipment should be heterogeneo (Score:5, Informative)
There's a good reason a lot of our equipment is slightly older. No, we don't use ancient stuff, but they're not 100% top of the line made yesterday either. And that's because each time a new mobo, memory and storage combo that looks like its worth purchasing comes to market, the first thing we do is run a few sample sets under everything we can throw at it. Usually problems are narrowed down within the first couple of weeks or so, but that's why we have separate people just for testing equipment.
Now admittedly, it's getting harder with this economy so we have some people doing double duty on occasion (I've had to do a bit too when the flu came rolling in), but testing goes on for as long as we think is necessary before the combo goes live. We avoid a lot of the headaches that come with large deployments by keeping changes isolated to maybe 10-15 nodes at a time. It's a slow and steady rollout of mostly similar systems (maybe 3-4 identical) that helps us avoid down time.
We're not Google and we don't pretend to be, but common sense goes a long way to avoiding hiccups like "everything blew up". I think the biggest issue was when hurricane Sandy hit and we weren't sure if the backup generators would come online (this is a big problem with things that need fuel and oil, but stay off for a long time), so we brought in a generator truck for that too, just in case. Again, avoiding one of anything.
Re: (Score:1)
Curious.
Re: (Score:2)
Re: (Score:2)
Or the Nintendo Wii?
Re: (Score:2)
Sounds, like you've found the balance point between bleeding edge (things are broken/buggy) and outdated (no longer supported/available).
I wished more people would favor this approach. It would save money and time down the road. i.e. Planned Upgrade Path.
Re: (Score:2)
Also, cheaper with older ones. I also don't buy the latest stuff. I want the stable anc cheap ones. Also, older stuff have issues worked out and known. I stopped being in first in line unless I get paid to use and test. :P
Replacements (Score:3, Insightful)
Errrr, no. Have you ever tried to deal with replacements and/or issues within a large organization where everything is different? It's hellish.
Try tracking an issue across an enterprise of architecture when all the architecture is DIFFERENT. You also don't want to mix RAM, and drivers can be a real b**** for different motherboards. Oh, and RMA's things, not fun.
Different brands of RAM. Yeah, you try a rack full of servers playing mix'n'match and see how well that works.
Lastly... how many vendors/brands of e
Re: (Score:2)
See my reply to LordLimecat above.
All machines get a barcode that let us pull up every component that went in, vendors, dates of installation and who touched what. For memory, I think we have 3 different vendors. Mobos are usually Asus and Supermicro with one or two Tyan. HDs are Samsung and WD with a couple more for SSDs that are special cases. Speaking of cases, we have Supermicro again and NORCO (for storage) primarily with a few Antec cases here and there.
L3 switches are Cisco and Netgear, L2 is Netgear
Re: (Score:2)
Let me guess, the Cisco Switches are the Small Business Series, right?
Hey, the Cisco Small Business stuff isn't all that bad... At least the older stuff from a few years ago is OK. Where I admit the Cisco/Netgear hardware suffers from a higher failure rate, you can easily buy two of them for every main line Cisco switch and have some change left over. Now I'm not saying they are *easier* to configure, but most of us don't make a habit of changing switch configurations all the time.
Re: (Score:2)
Whether it's your brand of switch, motherboard or even memory, never have the same across all machines if you can help it. The only time I'd recommend the same brand would be hard drives (due to concurrency issues), but then at least try go get them from different batches.
...and then along comes something like the Seagate 7200.11 firmware bug from a few years back, which caused all drives of several related models to self-brick after a period of time.
Re: (Score:2)
Re:This is why the equipment should be heterogeneo (Score:5, Insightful)
the drivers are certified to work
LOL this is a firmware bug, you can lock up the hardware even with no OS booted. Hilarious.
and you get real support
Yeah I love being told to reinstall windows on my linux boxes. Those guys sure are helpful !
Re: (Score:2, Interesting)
"No reason" (Score:2)
They have no reason to support something they didn't ship.
They shipped you hardware. Therefore they need to support THE HARDWARE.
Re: (Score:2)
They have no reason to support something not in an SLA. What they support is only loosely related to what they shipped you.
Re: (Score:2, Informative)
You will have to update the kernel, though. The linux e1000 and e1000e drivers have a fuckload of hardware bug workarounds, and the ASPM thing did hit some people recently. You *must* have ASPM L0s and L1 disabled on the Intel NIC *and* its parent PCIe bridge, and the kernel driver usually will only be able to disable it on the NIC itself, if the BIOS is crap and leaves ASPM L0s or L1 enabled on the bridge or has a crap NIC eeprom image that causes issue with 128b/256b maximum PCIe packet (this one can be
Re: (Score:1)
There is a big difference between corporate support and customer support.
Apparently you never worked in corporate environment. If the problem can't be resolved by phone, HP, Lenovo, hell even Dell would send a technicien on site.
Re: (Score:2)
Re: (Score:1)
It typically took less than five minutes on the phone with a knowledgeable techie before they escalated and sent us an engineer. Usually the parts and engineer would arrive within two hours.
Dell consumer support might be shite, but their business support is bloody good.
Re: (Score:2)
Same here with HP. Technician driving 250 km through the Black Forest and heavy traffic, there in 3 hours.
And we were an NGO with one server only.
Re: (Score:2)
Re: (Score:2)
Since no OS is grabbing the data from the buffer how do you plan on shifting the bytes through it in order to trigger the flaw? While it is not entirely outside the realm of possibility, it is unlikely this bug would be exposed without a driver on the host interacting with chipset and putting the firmware through its paces.
Re:This is why the equipment should be heterogeneo (Score:5, Insightful)
or just buy premade servers from dell or HP. they aren't that much more expensive, the drivers are certified to work and you get real support
...and you're guaranteed that every shipment will have radically different hardware, despite having identical model numbers.
Re: (Score:1)
or just buy premade servers from dell or HP. they aren't that much more expensive, the drivers are certified to work and you get real support
...and you're guaranteed that every shipment will have radically different hardware, despite having identical model numbers.
Sad but true. It makes it a PITA when dealing with disk images from one server to another.
Re: (Score:2)
Bought a lot of HP and Dell hardware, never seen this happen. What server models and what hardware ?
Re: (Score:1)
You do realize both HP and Dell commonly come with the very Intel NICs being discussed here, don't you?
So for not much more expensive you get the same failures, the drivers are certified but still fail, and the real support clearly never detected or patched this problem. Yeay?
QOTD (Score:5, Funny)
``Life is too short to be spent debugging Intel parts.''
-- Van Jacobson
Re:QOTD (Score:5, Funny)
Maybe that was what the guys at Intel thought.
Re:Three Strikes... I'll Pass (Score:5, Informative)
oh I think this is at least slightly interesting. I remember the "ping of death" (and pissing off a few windows heads in my sights) back in 'th day.
This is basically a DoS attack on hardware. The fact that it can get through someone's firewall makes it a bit more effective. Having your ethernet port check out every five minutes (requiring a reboot to fix) just because someone down the hall (or in Bulgaria) wants to be an ass is definitely annoying and something I'd like to know is a possibility when troubleshooting screwy network problems.
I just got done swapping out a gigabit switch that was being wonky and slow for no obvious reason. I don't mind so much when hardware keels over and dies, but when it throws symptoms that don't immediately suggest where the problem is, those are the real time wasters. And we've come to rely on hardware generally being more reliable than software. So if my ethernet was going out when I VOIP'ed, I might have spent (wasted) a lot of my time troubleshooting the VOIP software.
MAC address take-down (Score:4, Interesting)
A number of years ago I discovered that you can take down many routers, and Windows / Linux hosts by sending an ARP response that says "IP 0.0.0.0 is at MAC FF:FF:FF:FF:FF:FF". When you direct this packet to the access point in a wireless network, this makes the SSID broadcast disappear and the whole device go down. Never posted this until now, I wonder if this still works on modern devices.
Re:Three Strikes... I'll Pass (Score:4, Insightful)
To a PHB everything might be hardware. To a HDD maker HDDs aren't hardware, same for CPU makers and their CPUs.
Re:Three Strikes... I'll Pass (Score:5, Insightful)
PAM SLAM? (Score:2)
Wasn't there an old program (Nuke 'em on the Mac I think), that would send out-of-band data (whatever that was), and it would crash the TCP/IP stack on Windows NT 3.51? There was another program on Linux called Pam Slam or something like that, that would also bring down NT servers... Very popular in the early days of the web to bring down your competitor's website.
Re: (Score:1)
Other NIC models (Score:2)
I would be curious to know if other versions like the Intel 82576 have the same vulnerability. Maybe we should crowd source this and people can post what they've tested with and received the same behavior.
Re: (Score:1)
FWIW, the 82580 doesn't seem to have this problem (that, or we have up-to-date EEPROMs that fix the issue...)
Re: (Score:3)
Nice debugging (Score:5, Interesting)
I for one definitely appreciate the diligence of Kristian Kielhofner. Many years ago I was supporting a medium-sized hospital whose flat network kept having intermittent issues (and we all know intermittent issues are the worst to hunt down and resolve). Fortunately I was on-site that day and at the top of my game and after doing some ethereal sleuthing (what wireshark was called at the time), I happened to discover a NIC that was spitting out bad LLC frames. Doing some port tracking in the switches we were able to isolate which port it was on which happened to be at their campus across the street. Of all possible systems, the offending NIC was in their PACS. After pulling the PACS off the network for a while the problem went away and we had to get the vendor to replace the hardware.
Counterfeit Intel NIC? Apparently not. (Score:5, Interesting)
Some years ago I had been diagnosing similar server NIC issues, and after many hours digging, Intel was able to determine the fault was due to the four-port server NIC being counterfeit. Damn good looking counterfeit part! I couldn't tell the difference between a real Intel NIC and counterfeit in front of me. Only with Intel's document specifying the very minor outward differences between a real and known counterfeit could I tell them apart.
Intel NIC debugging step #1 = verify it's a real Intel NIC!
Re:Counterfeit Intel NIC? Apparently not. (Score:5, Insightful)
It's just an Intel support strategy. Release NICs with random and minor outward differences. When you have a support issue, say that it is counterfeit. Really cuts support costs!
Re: (Score:2)
say that it is counterfeit. Really cuts support costs!
Also cuts sales volume. If someone tells me there are lots of counterfeits that look almost like original, I'd stop buying.
That's crazy stuff (Score:2)
Re: (Score:2)
Maybe this is a sign that their QA is starting to slip?
It wouldn't surprise me (but the problem may go well beyond Intel). Of the three motherboards that have ever failed on me over 30+ years, two were Intel (a D101GGC and a DG43NB). Neither of them were ever run from crap PSUs, and both had blown capacitors. Even weirder, the caps were all from respected capacitor firms (Nippon Chemi-Con on the DG43NB and Matsushita on the D101GGC). I guess it's a Good Thing that Intel is exiting the motherboard business.
The third board that failed was an Abit KT7-RAID... one
Re: (Score:2)
seem still stable to me...good linux drivers (Score:2)
I've worked a fair bit with the latest 1-Gig and 10-Gig parts (i350 and 82599). They seem pretty decent and stable, good enough for telecom use, though like all chips they do have a list of errata.
The developers are fairly active about updating the linux drivers in the core kernel as well as on sourceforge. The new chips (the 10-gig one especially) are very flexible but this means the drivers are getting a lot more complex than they used to be. (The programming manual for the 82599 is 900 pages.)
Really?!?! (Score:4, Funny)
previous less lethal but similar tg3 bug (Score:1)
I ran into a tg3 bug where as the tg3 firmware took the byte value that it expected for a destination port number and redirected the udp packets with that value at that location to the BMC/SMDC/ipmi card (as designed). The issue was that the firmware did not appear to understand that a UDP datagram could be up to 64k so up to 40 1500byte packets and was always looks for the destination port on all packets (not just the first as it should have been) so if the data in the packet matched the expectations tho
Is this a bug? Maybe not (Score:2)
Triggering some monitor mode? (Score:2)
Disable Power Management (Score:1)
Packet captures (Score:2)
I started stopping the packet captures as soon as the interface dropped
Yes, that's usually when my packet captures stop, too.
ibtimes.co.uk website fix (Score:2)
ibtimes.co.uk##.ibt_con_artaux.f_rht
ibtimes.co.uk###bg_header
ibtimes.co.uk##.fb-like.fb_edge_widget_with_comment.fb_iframe_widget
ibtimes.co.uk##.twitter-follow-button.twitter-follow-button
ibtimes.co.uk##IMG[style="border:0;width:20px;height:20px; margin-top:-10px;"]
ibtimes.co.uk###scrollbox
ibtimes.co.uk###taboola-grid-3x2
ibtimes.co.uk##.f_lft.morebox
ibtimes.co.uk###wrap_bottom
ibtimes.co.uk##.bk_basic.bk_disqus
The offending packet (Score:1)
Re:Online Income (Score:5, Funny)
http://www.cloud65.com/ [cloud65.com] just as Marcus answered I didnt know that a mother can profit $8765 in four weeks on the computer. did you read this webpage
I think the NIC packet of death might be just what you need.
Re: (Score:2)
Re:Online Income (Score:5, Funny)
Listen here my friend, has anyone really been far even as decided to use even go want to do look more like?
Re: (Score:1)
Re: (Score:2)
I see that beautiful 4chan meme lives.
Your post made my day.
Re:This was fixed years ago (Score:5, Insightful)
That's not the same bug. I'd explain, but that's what you get for saying "I wish this guy had done his homework."
Re: (Score:3)
The ubuntu bug had to do with bad drivers and / or firmware; when the affected distro was installed on a computer with the affected NIC (which was the completely different e1000), it would render that NIC unusable, even afterreboots.
This bug appears to be triggered by receiving a crafted packet, remotely, and is fixable with a reboot. It also affects a different nic.
Re: (Score:2)
According to TFA (I know, WTF, I actually read TFA?), a reboot does not fix this problem, but a power cycle does.
Re: (Score:2)
I wish this guy had done his homework. This was fixed a long time ago:
http://blogs.computerworld.com/when_linux_does_well_the_e1000e_ethernet_bug_fixed [computerworld.com]
I am amazed that you got a patched e1000 driver working with a 82574L based piece of hardware... mighty impressive hacking! You should have written up a report on how you managed it for the rest of us to study as homework.
Re: (Score:3, Insightful)
And where do I get this mythical "firmware update" for the NIC CHIP? I'm sure the chip has code in it, but I've never even heard of a utility from Intel to update the in-chip code in a nic. (it's called "microcode", not firmware)
likely talking about the NVRAM on the NIC (Score:2)
When the NIC powers up the first thing it does is load a bunch of default settings from a chunk of nonvolatile memory (also sometimes called the EEPROM).
You can reprogram the EEPROM using tools from the vendor, or if the driver supports it you can do it under Linux using ethtool.