MAC Address Flooding – MAC address table overflow attacks

MAC address flooding attack is very common security attack. MAC address table in the switch has the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each.

MAC flooding attacks are sometimes called MAC address table overflow attacks. To understand the mechanism of a MAC address table overflow attack we must recall how does a switch work in the first place.

Switch before attack

When switch receives a frame, he looks in the MAC address table (sometimes called CAM table) for the destination MAC address. Cisco Catalyst switch models use a MAC address table for Layer 2 switching. When frames arrive on switch ports, the source MAC addresses are learned from Layer 2 packet header and recorded in the MAC address table. If the switch has already learned the MAC address of the computer connected to his particular port then an entry exists for the MAC address. In this case the switch forwards the frame to the MAC address port designated in the MAC address table. If the MAC address does not exist, the switch acts like a hub and forwards the frame out every other port on the switch while learning the MAC for next time.

Switch as hub empty mac address table
Picture 1 – Switch acts as hub with empty mac address table

Computer A sends traffic to computer B. The switch receives the frames and looks up the destination MAC address in its MAC address table. If the switch does not have the destination MAC in the MAC address table, the switch then copies the frame and sends it out every switch port like a broadcast. This means that not only PC B receives the frame, PC C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.

Switch learning mac address - populating table
Picture 2 – Switch learns mac address from source MAC address in the layer 2 headers from frames – switch is populating his mac table

Normal switch function

PC B receives the frame and sends a reply to PC A. The switch then learns that the MAC address for PC B is located on port 2 and writes that information into the MAC address table. From now on any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The switch is working like it should. This is the main goal of switch functionality, to have separate collision domain for each port on the switch.

Switch acts like switch - mac address table complete
Picture 3 – When the switch learns about all MAC addresses on his different ports switch acts like switch – mac address table complete

Attack

But this is where the attacker is coming into play. The key to understanding how MAC address table overflow attacks work is to know that MAC address tables are limited in size. MAC flooding makes use of this limitation to send to the switch a whole bunch of fake source MAC addresses until the switch MAC address table is fully loaded and can not save any more MAC address – Port mapping entries. The switch then enters into a fail-open mode that means that it starts acting as a hub. In this situation switch will broadcasts all received packets to all the machines on the network. As a result, the attacker (in our case “PC C”) can see all the frames sent from a victim host to another host without a MAC address table entry.

 

Beginning of the Switch Mac flooding attack
Picture 4 – Switch Mac flooding attack will populate the entire mac address table with bogus mac addresses

In this case, an attacker will use legitimate tools for malicious actions. The figure shows how an attacker can use the normal operating characteristics of the switch to stop the switch from operating.

Let’s get into more detail about filling up the MAC address table. To do this attacker uses network attack tools for MAC. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up. When the MAC address table is full, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The switch, in essence, acts like a hub.

Network attack tools are generating about 160,000 MAC entries on a switch per minute. Depending on the type of switch, the MAC address table size can be different but is always vulnerable to the flood attack. Sooner or later the table will be filled up. In the picture, the attack tool is running on the host with MAC address C. This tool floods a switch with frames that contain random bogus source and destination MAC and IP addresses. The attacker will need just a little bit of time for the MAC address table to fill up. In this moment it cannot accept new entries. When the MAC address table fills up with invalid source MAC addresses, the switch begins to send all frames that it receives to every port.

Switch mac address table full of bogus mac addresses acts like a hub
Pictures 5 – Switch mac address table full of bogus mac addresses acts like a hub and is vulnerable to frames sniffing.

As long as the network attack tool is running, the MAC address table on the switch remains full. When this happens, the switch begins to broadcast all received frames out every port so that frames sent from host A to host B are also broadcast out of port 3 on the switch and the attacker can sniff them.

 

3 Comments

  1. Faizan November 1, 2014
  2. b1naryb0y August 1, 2015
  3. Ashely September 24, 2020

Leave a Reply