MAC flooding
Encyclopedia
In computer networking, MAC flooding is a technique employed to compromise the security of network switch
es.
Switches maintain a CAM Table
that maps individual MAC address
es on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as a hub does. The advantage of this method is that data is bridged
exclusively to the network segment
containing the computer that the data is specifically destined for.
In a typical MAC flooding attack, a switch is fed many Ethernet frame
s, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory
set aside in the switch to store the MAC address table.
The effect of this attack may vary across implementations, however the desired effect (by the attacker) is either for legitimate MAC addresses to be forced out of the MAC address table causing significant quantities of incoming frames to be flooded
out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name, and it is this behavior which allows the MAC flooding attack to be used as more than a simple denial-of-service attack
against the switching infrastructure.
After launching a successful MAC flooding attack, a malicious user could then use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing
attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es.
Switches maintain a CAM Table
CAM Table
Content addressable memory table is a term referring to the dynamic content-addressable memory in an Ethernet switch.- Operation :A Ethernet switch's role is to copy Ethernet frames from one port to another. The presence of a CAM table is one attribute that separates a switch from a hub...
that maps individual MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as a hub does. The advantage of this method is that data is bridged
Bridging (networking)
Bridging is a forwarding technique used in packet-switched computer networks. Unlike routing, bridging makes no assumptions about where in a network a particular address is located. Instead, it depends on flooding and examination of source addresses in received packet headers to locate unknown...
exclusively to the network segment
Network segment
A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations.-Ethernet:...
containing the computer that the data is specifically destined for.
In a typical MAC flooding attack, a switch is fed many Ethernet frame
Ethernet frame
A data packet on an Ethernet link is called an Ethernet frame. A frame begins with Preamble and Start Frame Delimiter. Following which, each Ethernet frame continues with an Ethernet header featuring destination and source MAC addresses. The middle section of the frame is payload data including any...
s, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory
Computer memory
In computing, memory refers to the physical devices used to store programs or data on a temporary or permanent basis for use in a computer or other digital electronic device. The term primary memory is used for the information in physical systems which are fast In computing, memory refers to the...
set aside in the switch to store the MAC address table.
The effect of this attack may vary across implementations, however the desired effect (by the attacker) is either for legitimate MAC addresses to be forced out of the MAC address table causing significant quantities of incoming frames to be flooded
Flooding algorithm
A flooding algorithm is an algorithm for distributing material to every part of a connected network. The name derives from the concept of inundation by a flood....
out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name, and it is this behavior which allows the MAC flooding attack to be used as more than a simple denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
against the switching infrastructure.
After launching a successful MAC flooding attack, a malicious user could then use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing
ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...
attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.
Counter measures
To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment:- With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations. A smaller table of "secure" MAC addresses is maintained in addition to (and as a subset to) the traditional "MAC address table."
- Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accountingAAA protocolIn computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
(AAA) server and subsequently filtered.
- Implementations of IEEE 802.1XIEEE 802.1XIEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.
- Security features to prevent ARP spoofing or IP address spoofingIP address spoofingIn computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
in some cases may also perform additional MAC address filtering on unicast packets, however this is an implementation-dependent side-effect.
- Additional security measures are sometimes applied along with the above to prevent normal unicast flooding for unknown MAC addresses. This feature usually relies on the "port security" feature to retain all "secure" MAC addresses for at least as long as they remain in the ARP table of layer 3 devices. Hence, the aging time of learned "secure" MAC addresses is separately adjustable. This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.