Availability Attacks Without an Adversary: Evidence from Enterprise LANs

Abstract

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention