SecHard

Mac Flooding Attack

Owned by seda peker
Last updated: Jul 18, 2023
3 min read

It is aimed to fill the Mac/Cam Table of the switch so that the switch cannot respond to incoming requests. In order to learn new mac addresses, the switch erases the real mac addresses it has learned in the past from its memory. In order to learn them again, it broadcasts the packets it needs to send to the target computer from all ports. When the attacker listens to the network with a listening program on the same network, he can monitor the traffic of the users.

How to do Mac Flooding Attack?

As you can see below, no action was taken on the port to which the Attacker is connected.

The MAC addresses and MAC address counts that the switch learned before the attacker started his attacks are as follows.

Once the attacker plugs in the cable and joins the network, it starts sending more fake MAC addresses to the switch than it can handle, filling up the switch's existing MAC address table and the MAC Count it can hold.

# macof -i eth0 -n 10 -d "target IP address"

# macof -i eth0

The switch can no longer respond to new requests and access to the switch stops completely.

How to prevent Mac Flooding Attack?

MAC flooding attack is prevented in a simple way by applying the following security actions to the ports on the switch.

  • Switchport port-security maximum : Precautions can be taken by limiting the number of MAC addresses that each port can learn underneath.

  • Switchport port-security violation protect : When the Mac detects flooading, it does not close the port completely. It stops data traffic. It does not generate warnings or notifications.

  • Switchport port-security violation restrict : When Mac gets flooading, it does not close the port completely. It stops data traffic. It generates alerts and informs Snmp-Trapler.

  • Switchport port-security violation shutdown : Completely closes the relevant port in case of an attack. Err-disabled error.

  • Switchport port-security mac-address sticky :  With this command, the mac addresses connected to the port are automatically memorized. No further memorization will be performed as the specified limit is reached.

To prevent Mac flooding attacks, we go to the Security section via Sechard.

On the Mac Flooding page, we select the port and take actions such as; determining the maximum mac address to be learned from the port, activating Sticky mode, applying Port violation.

After taking these actions, if the attacker performs the attack, the switch will learn only 2 mac addresses from the port and then close the port if the mac addresses continue to come.

At the same time, since Syslogs are directed to Sechard, SecHard warns via mail as soon as the violation is detected.

 

SecHard