MAC Table Overflow

 

MAC Table Overflow Attack

Introduction  

A switch’s MAC address table contains network information such as MAC addresses available on each physical switch port and associated VLAN parameters.

When switch receives a frame, the switch looks in the MAC address table (sometimes called MAC table) for the destination MAC address. Cisco Catalyst switch models use a MAC address table for Layer 2 switching. When a frame arrives on a switch port, the source MAC address is learned from Layer 2 packet header and recorded in the MAC address table (Figure 1). If the switch has already learned the mac address of the computer connected to his particular port then an entry already exists for the MAC address. In this case the switch forwards the frame to the MAC address port designated in the MAC address table. If the MAC address does not exist, the switch acts like a hub and forwards the frame out every other port on the switch. Under normal conditions the switch learns all MAC addresses connected to its ports and forwards frames only to the destination port.

61

Figure 1: Switch MAC Table under normal conditions

MAC tables are limited in size. If enough entries are entered into the MAC table before other entries are expired, the MAC table fills up to the point that no new entries can be accepted. Typically, a network intruder will flood the switch with a large number of invalid source MAC addresses until the MAC table fills up. When that occurs, the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC table. The switch, in essence, acts like a hub. If the intruder does not maintain the flood of invalid source MAC addresses, the switch will eventually time out older MAC address entries from the MAC table and begin to act like a switch again. MAC table overflow only floods traffic within the local VLAN so the intruder will see only traffic within the local VLAN to which the intruder is connected.

MAC Table Overflow occurs when an enormous amount of fake MAC addresses are flooded into the table and the MAC table size is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a MAC Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network.

It is trivial to overflow CAM table with invalid MAC addresses, thus all switches should implement security preventing this. Port Security is enough to prevent this type of attack on a Cisco switch. Port Security can be set to only allow a specified amount of MAC addresses to connect to the switch port over a certain amount of time.

In order to attack the CAM table and cause it to overflow, simply install dsniff, and type “macof” in a terminal window. This immediately starts flooding the CAM table with invalid MAC addresses.

Mitigation

Mitigation of the CAM table-overflow attack can be achieved by configuring port security on the switch. This will allow MAC addresses to be specified on a particular switch port, or alternatively, specify the maximum number of MAC addresses that the switch port can learn. If an invalid MAC address is detected on the switch port, the port can be shut down, or the MAC address can be blocked.

You can use the port security feature to restrict input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

Port security allows you to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port eithershuts down permanently (default mode) or drops incoming packets from the insecure host. The behavior of the port depends on how you configure it to respond to a security violator.

 

Cisco IOS Mitigation:

switchport mode access

switchport port-security

switchport port-security maximum <value>

switchport port-security violation protect

switchport port-security aging type inactivity