A MAC flooding attack doesn’t actually overflow anything; it tricks a switch into acting like a hub.
Here’s how it looks in the wild. Imagine a switch, the network’s traffic cop, diligently learning which device lives on which port. It builds a table, the CAM table, mapping MAC addresses to physical switch ports. When traffic arrives for a known MAC, the switch sends it only to that port. If the MAC is unknown, it broadcasts to all ports.
Switch# show mac address-table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0011.2233.4455 DYNAMIC FastEthernet0/1
1 aabb.ccdd.eeff DYNAMIC FastEthernet0/2
1 00a0.c911.2233 DYNAMIC FastEthernet0/3
Now, an attacker, sitting on one port, starts sending a flood of packets, each with a different source MAC address, but all destined for the same MAC address (or a broadcast address). The switch, in its eagerness to learn, dutifully records each new, spoofed MAC address and its corresponding port in its CAM table.
Switch# show mac address-table | wc -l
1020
The CAM table has a finite size (e.g., 1024 entries for many older Catalyst switches). Once the attacker fills it with bogus entries, the switch can’t learn any more legitimate MAC addresses. When new, valid traffic arrives, the switch has no choice but to start broadcasting it out all ports, just like a hub. This is the "overflow." The attacker, now receiving all broadcast traffic, can sniff sensitive data using tools like Wireshark.
root@attacker:~# tcpdump -i eth0 -nn
14:35:10.123456 IP 192.168.1.10.54321 > 192.168.1.100.80: Flags [S], seq 12345, win 65535, options [mss 1460], length 0
14:35:10.123460 IP 192.168.1.10.54321 > 192.168.1.100.80: Flags [S], seq 12345, win 65535, options [mss 1460], length 0
The core problem isn’t that the CAM table crashes, but that it loses its intelligence and reverts to dumb hub behavior, enabling eavesdropping.
To prevent this:
-
Port Security: This is your primary defense. It limits the number of MAC addresses a port can learn, or locks it to specific MAC addresses.
- Diagnosis: Check switch configuration for
switchport port-security. - Fix: On the switch interface connected to user ports:
interface GigabitEthernet1/0/1 switchport mode access switchport port-security maximum 2 # Allow only 2 MACs (one for PC, one for potential rogue device) switchport port-security mac-address sticky # Learn and save legitimate MACs switchport port-security violation shutdown # Shut down port if violation occurs exit - Why it works: It prevents the switch from learning an excessive number of MACs on a port, thus stopping the CAM table from being filled with attacker-generated addresses.
stickyis crucial for dynamic environments; it learns the first MACs and sticks to them.shutdownis aggressive but effective.
- Diagnosis: Check switch configuration for
-
DHCP Snooping: This feature builds a database of valid IP-to-MAC bindings by listening to DHCP exchanges. It then uses this database to validate traffic.
- Diagnosis: Check for
ip dhcp snoopingglobally and on interfaces. - Fix:
ip dhcp snooping # Enable globally ip dhcp snooping vlan 10,20 # Enable on specific VLANs interface GigabitEthernet1/0/1 ip dhcp snooping trust # Mark trusted ports (uplinks, servers) exit interface GigabitEthernet1/0/2 ip dhcp snooping # Enable on access ports (implicitly untrusted) exit - Why it works: If a packet arrives with a MAC address not in the DHCP snooping database (and not on a trusted port), the switch drops it, preventing spoofed traffic from being forwarded.
- Diagnosis: Check for
-
Dynamic ARP Inspection (DAI): This inspects ARP packets to ensure they contain valid IP-to-MAC bindings, as learned via DHCP snooping.
- Diagnosis: Check for
ip arp inspection vlan. - Fix:
ip arp inspection vlan 10,20 # Enable ARP inspection on specific VLANs interface GigabitEthernet1/0/2 ip arp inspection trust # Trust ARP on trusted ports exit - Why it works: ARP is often used to facilitate MAC spoofing. DAI validates ARP packets against the DHCP snooping database, dropping malicious ARP requests or replies that would otherwise lead to man-in-the-middle attacks or facilitate flooding.
- Diagnosis: Check for
-
Storm Control: While not directly preventing MAC flooding, it limits broadcast, multicast, or unicast traffic rates.
- Diagnosis: Check for
storm-controlcommands on interfaces. - Fix:
interface GigabitEthernet1/0/1 storm-control broadcast level 1000 pps # Limit broadcast to 1000 packets/sec storm-control multicast level 1000 pps storm-control action shutdown # Shut down port if limit exceeded exit - Why it works: It caps the rate of traffic on an interface. If an attacker is sending thousands of spoofed packets per second, storm control can detect this abnormal rate and shut down the port or restrict the traffic, preventing the CAM table from being exhausted.
- Diagnosis: Check for
-
Increase CAM Table Size: If your hardware supports it, increasing the CAM table size can make it harder to fill. This is often a hardware capability or a configuration setting.
- Diagnosis:
show mac address-table countand check hardware specs. - Fix: This is less common as a user-configurable setting and more about hardware capabilities. For some platforms, it might involve a command like
mac-address-table size <number>. - Why it works: A larger table simply takes more packets to fill, increasing the attacker’s effort and time required.
- Diagnosis:
-
Switch Stacking/Redundancy: For critical networks, using redundant switches and link aggregation can mask the effects of a single switch being flooded.
- Diagnosis: Network topology diagrams,
show etherchannel summary. - Fix: Implement LACP/PAgP on uplinks and configure redundant switch paths.
- Why it works: If one switch port is compromised and its CAM table filled, traffic can still flow through other redundant paths or switches that are not under attack.
- Diagnosis: Network topology diagrams,
After implementing port security, DHCP snooping, and DAI, the next error you might encounter related to network access control is a BPDU Guard violation if you accidentally connect a switch to a port intended for an end-user device.