Availability Attacks Without an Adversary: Evidence from Enterprise LANs

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention

💡 Research Summary

The paper “Availability Attacks Without an Adversary: Evidence from Enterprise LANs” investigates a subtle, non‑malicious source of denial‑of‑service (DoS) conditions in corporate networks. The authors observed that routine docking and undocking of employee laptops at USB‑C docking stations repeatedly cause physical link up/down events on access‑layer ports. Because the docking stations implement internal switching, the enterprise switches (Cisco Meraki MS250) interpret them as intermediate Layer‑2 devices rather than simple hosts. This triggers Rapid Spanning Tree Protocol (RSTP) recalculations each time a port transitions, generating topology‑change notifications and temporary port‑role changes.

RSTP, standardized by IEEE 802.1w, is designed for fast convergence (typically a few seconds) under the assumption that topology changes are rare and usually caused by failures or deliberate administrative actions. In the studied multi‑branch enterprise, all access ports belong to a single VLAN and participate in one global RSTP instance. The authors collected switch logs (port state transitions, TCNs, RSTP events) and correlated them with user activity records over several business days. Their measurements show that each docking/undocking event introduces a forwarding interruption lasting between 2 and 4 seconds (average ≈ 2.3 s). During these interruptions, real‑time applications such as VoIP calls and video conferences experience audible clipping, video freezes, and session renegotiations—symptoms that are readily perceived by end users but are not flagged by conventional security monitoring tools.

From a security perspective, the authors argue that intent is irrelevant to the classification of a security incident under NIST SP 800‑61, which treats any significant availability degradation as an incident. They map the phenomenon to three established frameworks: (1) NIST’s insider‑threat taxonomy as an “Accidental Insider,” (2) MITRE ATT&CK’s impact tactic “Denial of Service” (T​A0040), and (3) the STRIDE model’s “Denial of Service” category. This mapping demonstrates that a benign insider can effectively launch a low‑rate internal DoS attack simply by performing normal work‑related actions.

The mitigation strategy proposed is straightforward: configure all edge ports with a PortFast‑like setting (or the equivalent on Meraki devices) so that they are treated as host‑only interfaces and excluded from spanning‑tree calculations. After applying this configuration in the same environment, the authors observed that docking/undocking no longer generated RSTP topology changes, and the transient forwarding disruptions vanished. Importantly, this change does not compromise loop‑prevention guarantees because the ports remain in a “forwarding” state but are no longer considered for root‑bridge election or path selection.

The paper contributes (1) the first empirical evidence that routine user behavior can repeatedly trigger Layer‑2 control‑plane activity in a production network, (2) a quantitative assessment of the impact on real‑time services, (3) a formal alignment of the observed phenomenon with major insider‑threat frameworks, (4) identification of a design mismatch between legacy spanning‑tree assumptions and modern dynamic workstations, and (5) a low‑cost, operationally simple mitigation. The discussion highlights broader implications: many enterprises rely on default RSTP settings that assume static topologies, and security monitoring tools often overlook short, protocol‑compliant disruptions. Future work is suggested to evaluate other spanning‑tree variants (MSTP, RPVST+), different switch vendors, and automated detection mechanisms that flag frequent topology changes originating from host ports. In conclusion, the study reveals a previously under‑recognized class of “availability attacks without an adversary” and demonstrates that a modest configuration change can effectively safeguard critical real‑time communications in modern, flexible office environments.