MAC Flooding & Port Security

What is MAC Flooding?

In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go. This table allows the switches to direct the data out of the ports where the recipient is located.

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table. Within a very short time, the switch's MAC address table is full with fake MAC address/port mappings. At some point, Switch cannot save any more MAC address. This will force the switch to enter into a fail-open mode and behave like a HUB. With single broadcast characteristic of the hub, all the packets start moving to every node without any intelligence. After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally.

The ARP Spoofing is an attack where the attacker sends falsified ARP Messages (Address Resolution Protocol) so that the attackers MAC address will be linked with the IP address of a legitimated user in the network. The Address Resolution Protocol is a protocol used by the Internet Protocol usually by the IPv4 to map the IP address of a machine to a physical address like MAC address, also called Ethernet address.

How to prevent the MAC Flooding Attack?

Port Security is one of the most important layer 2 security techniques. It limits the number of MAC addresses allowed on the port. For example, we can configure port security to limit MAC address to one. The first one comes in, get in MAC table; the second one tries to come in, will perform a violation action; that could be a drop, log or shut down the port. However, deploying port security ( limiting MAC access ) can be tricky between two switches. The reason is, it is not easy to define the number of MAC addresses. Cisco switches are available with the inbuilt port security system. For more details, I found this website very helpful.


Anup Chhetri

IT system administrator

You may also like...

error: Content is protected !!