CAM Table

N E T W O R K M O N I TO R I N G A N D D O C U M E N TAT I O N
AMMAN ARAB UNIVERSITY
F C S I – C Y B E R S E C U R I T Y D E PA R T M E N T
20212
D R . M O H A M M A D A L S H I N WA N
What is a MAC Address?
A MAC address, or a Media Access Control address, is a network adapter's unique,
hardwired address.
Every network-enabled device has a network adapter, which has a MAC address.
A MAC address is the physical equivalent to an IP address, which is the network's
software address.
All devices on the same network subnet have different MAC addresses, and switches
store MAC addresses for routing purposes.
What is Content-Addressable Memory
(CAM)?
Content-addressable memory is also known as associative storage. It's a special type of
computer memory used in specific use cases.
Unlike RAM, CAM compares the search data against a table of stored data and returns the
address of any matching data.
CAM's most frequent use is in networking devices like routers and most importantly for our
purposes switches. In switches, CAM tables store the MAC addresses for different devices on its
ports.
MAC Address Forwarding
To figure out where a frame must be sent, the switch will look up its MAC address table.
This information can be told to the switch, or it can learn it automatically.
The switch listens to incoming frames and checks the source MAC addresses.
If the address is not in the table already, the MAC address, switch port, and VLAN will then get
recorded in the forwarding table.
The forwarding table is also called the CAM table.
MAC Address Forwarding
What happens if the destination MAC address of the frame is unknown to the switch?
The switch then forwards the frame through all ports within a VLAN except the port the frame
was received on.
This is known as unknown unicast flooding. Broadcast and multicast traffic is destined for
multiple destinations, so it will get flooded by default.
MAC Address Forwarding
Ex.1:
1. The switch receives a frame on port 1.
2. The destination MAC address for the frame
is 0000.0000.5555.
3. The switch will look up its forwarding table
and figure out that MAC address
0000.0000.5555 is recorded on port 5.
4. The switch will then forward the frame
through port 5.
MAC Address Forwarding
Ex.2:
1. The switch receives a broadcast frame on
port 1.
2. The switch will forward the frame through
all ports that are within the same VLAN
except port 1.
3. The frame was received on port 1, which is
in VLAN 1; therefore, the frame is
forwarded through all ports on the switch
that belong to VLAN 1 (all ports except port
3).
What is a CAM Table Overflow Attack?
A CAM table overflow attack is a hostile act performed against a network switch in which a
flood of bogus MAC addresses is sent to the switch.
This flood of data causes the switch to dump the valid addresses it has in its CAM database
tables in an attempt to make room for the bogus information.
After that happens, a switch's default behavior is to broadcast normally private messages to all
ports.
How Network Switches Work.
A switch on a network inspects every frame that passes through it. This inspection is done not
only to make sure the data gets to where it's going, but so that responses to each frame can get
to the device that originated it.
When a frame enters the network, the switch inspects it and memorizes the source MAC
address. It does that so that future forwarding can be done quickly and transparently. In the
future, when frames come in destined for devices the switch already has an address for, the
switch can take it, forward it on the back plane of the switch and put it right at the port. All the
other ports don't get to see those frames.
Imagine a switch with three ports of interest to us. Laptop A (Port #1) is looking to get to
Laptop B (Port #2). The switch has already stored their MAC addresses, so if a frame comes in
from port #1 destined for port #2, the switch can forward it directly and privately. But imagine
that there's an eavesdropper PC on port #3. That eavesdropper wants to see every single frame
and will need to trick the switch in order to get them.
Why Do CAM Overflow Attacks Work?
CAM overflow attacks work on the principle that switches only can memorize so many MAC
addresses. How many addresses one switch can memorize changes on the switch? Maybe 3,000
to 6,000. Some switches might even go higher than that, but they certainly can't memorize
100,000 or 150,000. At some point, a switch runs out of space and that's what a CAM overflow
attack exploits.
A switch's default behavior makes sense from a normal, healthy network operations perspective:
it drops old addresses for new ones. After all, if it has been so long that 4,000 new MAC
addresses have come through the switch, the devices they're attached to must be gone. Except
during a CAM table overflow attack, they're coming from a hostile actor. If our eavesdropper
wanted to launch an attack, he could send 100s of 1000s of frames, all with random and bogus
source MAC addresses, into the switch.
Why Do CAM Overflow Attacks Work?
The eavesdropper leaves the attack running, and now as the switch gets frames from Laptop A
for Laptop B, the switch has to make a hard decision. It doesn't know where Laptop B is, but has
to forward the message to it. The best solution for the switch is to broadcast the message to all
ports. Hopefully, one of them is Laptop B.
What happens at that point is that Laptop A's frame goes to not only the intended port, but all
other active ports in that same VLAN. That means our eavesdropper can successfully "listen in"
on every packet that switch sees.
Port Security
Port Security on a Cisco switch enables you to control how the switch port handles the learning
and storing of MAC addresses on a per-interface basis.
The main use of this command is to set a limit to the maximum number of concurrent MAC
addresses that can be learned and allocated to the individual switch port.
If a machine starts broadcasting multiple MAC addresses in what appears to be a CAM overflow
attack, the default action of Port Security is to shut down the switch interface; although, you can
configure the switch just to discard any future Layer 2 frames received from the bogus MAC
addresses.
LAB
•Kali IP: ifconfig eth0 192.168.1.3 netmask 255.255.255.0
•Route add default gw 192.168.1.1
•Router setting with ip addr 192.168.1.1 255.255.255.0
•Pc setting with ip: 192.168.1.2 255.255.255.0
Now switch setting:
show mac-address-table count
Attack
From kali hit: macof -I eth0 -n 10