10.2.2.1.2. MAC Flooding Attack / Flooding Attack

The most common Layer 2 MAC attack is a MAC flooding attack, where an attacker generates a large number of packets with random MAC addresses in an attempt to overflow the CAM buffer within a switch and thus force the switch into a mode where it broadcasts packets on all interfaces.

This is because legitimate MAC addresses are removed from the CAM table in favor of a large number of random MAC addresses generated by the attacker. This is called HUB mode, and when a switch is operating in hub mode, the natural separation of collision domains is broken and all frames passing through the switch are forwarded to all connected devices. This allows passive eavesdropping of all traffic passing through the device.

MAC Flooding Attack causes the CAM table to be flooded with random MAC addresses. The switch is then forced to operate like a hub (i.e. frames are forwarded to all ports). In contrast, dynamically stored MAC addresses allow the CAM protocol to check MAC address liveness by sending packets every 180 seconds and deleting the corresponding MAC address from the CAM table when no packet is returned. In this way, the sticky command is applied to prevent more attacks than the MAC number entry. At the same time, the maximum number of MAC entries is set by the user on the relevant port and if the maximum value is exceeded in MAC entries, the port is secured by sending protect, restrict or shutdown commands to the port.

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address sticky