Before you can prevent MAC flooding attack on layer 2 devices, you must know enough about basic switch operation and MAC table attack. A Layer 2 LAN switch builds a table of MAC addresses that are stored in its Content Addressable Memory (CAM). A CAM table is the same thing as a MAC address table. The CAM table binds and stores MAC addresses and associated VLAN parameters that are connected to the physical switch ports. Switches then compare the destination MAC unicast addresses of incoming frames to the entries in the CAM table to make port forwarding decisions. If the destination MAC address is in the CAM table, the switch forwards the frame accordingly. However, if the destination MAC address is not in the CAM table, the switch will flood the frame out of all ports except for the frame’s port of ingress. This is called an unknown unicast flood.
How does CAM Table attack work?
All CAM tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. CAM table overflow attacks (also called MAC address overflow attacks) take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full.
If enough entries are entered into the CAM table before older entries expire, the table fills up to the point that no new entries can be accepted. When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports without referencing the CAM table. The switch, in essence, acts as a hub. As a result, the attacker can capture all of the frames sent from one host to another.
NOTE: Traffic is flooded only within the local VLAN, so the intruder sees only traffic within the local VLAN to which the intruder is connected.
MAC Flooding Tools for Windows and Linux
Macof tools flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). What makes these tools so dangerous is that an attacker can create a CAM table overflow attack in a matter of seconds. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its CAM table. A tool such as Macof can flood a switch with up to 8,000 bogus frames per second; creating a CAM table overflow attack in a matter of a few seconds.
Another reason why these attack tools are dangerous is that they not only affect the local switch, they can also affect other connected Layer 2 switches. When the CAM table of a switch is full, it starts broadcasting out all ports including those connecting to other Layer 2 switches.
How to Prevent Mac Flooding Attack?
In order to mitigate CAM table overflow attacks, network administrators must implement port security. It is the simplest and most effective method to prevent MAC flooding attack and CAM table overflow. Port security allows an administrator to statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. By limiting the number of permitted MAC addresses on a port to one, port security can be used to control the unauthorized expansion of the network.
After configuring or enabling port security, the MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses. When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port.
To enable port security, use the switchport port-security interface configuration command on an access port. The port must be configured as an access port before port security can be enabled. This is because port security can only be configured on access ports and, by default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, the port must be initially configured with the switchport mode access interface configuration command.
To set the maximum number of MAC addresses allowed on a port use the switchport port-security maximum value command
Note: The actual maximum number of secure MAC addresses that can be configured is set by the maximum number of available MAC addresses allowed by the active Switch Database Management (SDM) template. Use the show sdm prefer command to view the current template settings.
The switch can be configured to learn about MAC addresses on a secure port in one of two ways:
- Manually configured – Manually configures the MAC address(es) using the switchport port-security mac-address interface configuration command.
- Dynamically learned – Enables the switch to dynamically learn the MAC address using the switchport port-security mac-address sticky interface configuration command.
S4(config)# interface fastEthernet 0/10 S4(config-if)# switchport mode access S4(config-if)# switchport port-security S4(config-if)# switchport port-security maximum 5 S4(config-if)# switchport port-security violation shutdown S4(config-if)# switchport port-security mac-address sticky
To view the result, just type the “show port-security interface FastEthernet 0/10“.
S4#show port-security interface fastEthernet 0/10 Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) -------------------------------------------------------------------- Fa0/10 5 0 0 Shutdown ---------------------------------------------------------------------- Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 5 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 S4#
That’s good. The configuration to prevent MAC flooding attack works perfectly on Cisco switch.
Port Security Violations Modes
- Protect: This is the least secure of the security violation modes. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred.
- Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
- Shutdown: In this (default) security violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands. More importantly, the port must be re-enabled manually by an administrator.
Prot Security Aging
The port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
- Absolute – The secure addresses on the port are deleted after the specified aging time.
- Inactivity – The secure addresses on the port are deleted only if they are inactive for the specified aging time.
Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses. Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added. Keep in mind the maximum number of secure addresses per port can be configured. Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.
S4(config-if)#switchport port-security aging time 150
That is not all you get to know about how to prevent MAC Flooding attack in the network. This is a simple guide to know the function of MAC table attack and simple port security configuration.
Source: NetAcad, My local CCNA security Lab, and Google.