Scribd
Upload
320 views4 pages

6.6 MAC Address Table Attack

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
320 views4 pages

6.6 MAC Address Table Attack

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

6.

6 MAC Address Table Attack

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
MAC Address Table Attack
Switch Operation Review
Recall that to make forwarding decisions, a Layer 2 LAN switch builds a table based on
the source MAC addresses in received frames. This is called a MAC address table. MAC
address tables are stored in memory and are used to more efficiently switch frames.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
MAC Address Table Attack
MAC Address Table Flooding
All MAC tables have a fixed size and consequently, a switch can run out of resources in
which to store MAC addresses. MAC address flooding attacks take advantage of this
limitation by bombarding the switch with fake source MAC addresses until the switch MAC
address table is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood
all incoming traffic out all ports on the same VLAN without referencing the MAC table.
This condition now allows a threat actor to capture all of the frames sent from one host to
another on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic
within the local LAN or VLAN to which the threat actor is connected.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
MAC Address Table Attack
MAC Address Table Attack Mitigation
What makes tools such as macof so dangerous is that an attacker can create a MAC
table overflow attack very quickly. For instance, a Catalyst 6500 switch can store 132,000
MAC addresses in its MAC address table. A tool such as macof can flood a switch with
up to 8,000 bogus frames per second; creating a MAC address table overflow attack in a
matter of a few seconds.

Another reason why these attack tools are dangerous is because they not only affect the
local switch, they can also affect other connected Layer 2 switches. When the MAC
address table of a switch is full, it starts flooding out all ports including those connected to
other Layer 2 switches.

To mitigate MAC address table overflow attacks, network administrators must implement
port security. Port security will only allow a specified number of source MAC addresses to
be learned on the port. Port security is further discussed in another module.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

You might also like