Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. When switch receives a frame, the switch looks in the MAC address table (sometimes called CAM table) for the destination MAC address. In computer networking, MAC flooding is a technique employed to compromise the security of network switches. I am performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router. Important notice: Hacking into anyone’s network without permission is considered an illegal act or crime in most countries.
One way to mitigate MAC address table overflow attacks is to configure port security.Mac-Address Flooding and DHCP Starvation Attack and How to prevent it. In this example, frames sent from host A to host B are also broadcast out of port 3 on the switch and seen by the attacker at host C. Depending on the switch, the maximum MAC address table size varies.Īs shown in Figure 5, as long as the MAC address table on the switch remains full, the switch broadcasts all received frames out of every port. Some network attack tools can generate up to 155,000 MAC entries on a switch per minute. As a result, the attacker can see all of the frames. In this mode, the switch broadcasts all frames to all machines on the network.
When the MAC address table is full of fake MAC addresses, the switch enters into what is known as fail-open mode. The switch updates the MAC address table with the information in the fake frames. MAC flooding attacks make use of this limitation to overwhelm the switch with fake source MAC addresses until the switch MAC address table is full.Īs shown in Figure 4, an attacker at host C can send frames with fake, randomly-generated source and destination MAC addresses to the switch. Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.Īs shown in Figure 3, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The switch then learns that the MAC address for host B is located on port 2 and records that information into the MAC address table. In Figure 2, host B receives the frame and sends a reply to host A. If the switch cannot find the destination MAC in the MAC address table, the switch then copies the frame and floods (broadcasts) it out of every switch port, except the port where it was received. The switch receives the frames and looks up the destination MAC address in its MAC address table. In Figure 1, host A sends traffic to host B.
The figures show how this type of attack works. MAC address table overflow attacks are sometimes referred to as MAC flooding attacks, and CAM table overflow attacks. This type of attack is called a MAC address table overflow attack. The MAC address flooding behavior of a switch for unknown addresses can be used to attack a switch. If the MAC address does not exist in the MAC address table, the switch floods the frame out of every port on the switch, except the port where the frame was received. If an entry exists for the MAC address, the switch forwards the frame to the correct port. As frames arrive on switch ports, the source MAC addresses are recorded in the MAC address table. All Catalyst switch models use a MAC address table for Layer 2 switching. When a Layer 2 switch receives a frame, the switch looks in the MAC address table for the destination MAC address. The MAC address table in a switch contains the MAC addresses associated with each physical port and the associated VLAN for each port. More detailed information is found in the CCNA WAN Protocols course and the CCNA Security course.
Some types of security attacks are described here, but the details of how some of these attacks work are beyond the scope of this course. The more aware the team of networking professionals within an organization are regarding security attacks and the dangers they pose, the better.
Security is a layered process that is essentially never complete. Basic switch security does not stop malicious attacks.