A network switch is a networking device that is used to connect multiple devices which allows them to communicate with each other. As compared to a hub, switch can be seen as an “intelligent device” as it can learn and store MAC addresses of connected devices, whereas the hub is incapable of doing so. Because of this, a switch can filter and forward data to a specific device by identifying their destination addresses. Unfortunately, this ability is also vulnerable to a specific attack known as MAC flooding attack. In this article, we will explain what a MAC flooding attack is, how it works, how to detect it, and how it can be combined with another attack called MAC spoofing. Before that, we think that it is much better to understand what a MAC address is and how the switch works.
What is a MAC address?
As mentioned earlier, a network switch is a device that connects multiple devices on a LAN and forwards data packets to the intended destination based on the MAC address of the device. The MAC address is a unique identifier assigned to each network interface card (NIC) by its manufacturer. The switch maintains a table called the MAC address table that maps each MAC address to the corresponding switch port.
How does the switch work?
When a device on the network wants to communicate with another device, it sends an Ethernet frame containing, among other information, the source MAC address and the destination MAC address. The switch receives this frame and uses the destination MAC address to find the correct port in the MAC address table. It then forwards the frame out of that port only, reducing network congestion and increasing security.
Assume that we are installing a new Local Area Network with a switch. Say that we have three computers A, B, C with its MAC address AA-AA-AA-AA-AA-AA, BB-BB- BB-BB-BB-BB, and CC-CC-CC-CC-CC-CC consecutively. In this article, we have explained what a MAC table is which is very important to understand this kind of attack. A MAC table can be seen as a database that stores the identity of the connected devices by its MAC address.
When computer A is connected, the switch will read the frame sent by computer A and add its MAC address to the MAC table so the table would look like this.
| Port Number | MAC Address |
|---|---|
| g1/0/1 | AA-AA-AA-AA-AA-AA |
| g1/0/2 | |
| g1/0/3 | |
| g1/0/4 | |
| g1/0/5 |
MAC Table
A switch sends frames to their intended destination by using MAC addresses for identification. In an established network, the switch populate its MAC address table with the MAC addresses of connected devices. This allows the switch to efficiently deliver frames to their intended recipients. In situations where the switch has not yet learned the MAC addresses of certain devices, such as in the case of B and C in our scenario, MAC flooding may be required.
What is MAC Flooding?
MAC flooding is a technique where the switch sends the frame out of all its ports (except the incoming port) in order to discover the MAC address of the destination device. Once the switch receives a response containing the MAC address, it updates its MAC address table and can subsequently deliver frames directly to the intended device.
Therefore, in our case, since B and C are not yet learned by the switch, MAC flooding is utilized to ensure the frames reach their intended destinations. Assume that computer A needs to communicate with computer B which is connected with the same switch. The frame sent by the computer A will be forwarded to all connected devices. Because computer C is also connected to the same switch, computer C may also receive the same frame. However, because it is intended for computer B instead of C, computer B will be able to recognize it and reply with the frame to the switch and the switch will store the computer B MAC address to its MAC Table. Therefore a new entry will be added.
| Port Number | MAC Address |
|---|---|
| g1/0/1 | AA-AA-AA-AA-AA-AA |
| g1/0/2 | |
| g1/0/3 | BB-BB-BB-BB-BB-BB |
| g1/0/4 | |
| g1/0/5 |
MAC Table
Because both computers have their own MAC address listed in the table, a communication can be established easily.The switch handles this process dynamically, so the entries may change all the time, especially when new devices are connected.
How MAC Flooding Attack Works
A MAC flooding attack exploits this mechanism by sending a large number of fake Ethernet frames, each containing a different source MAC address but the same destination MAC address. The attacker’s goal is to fill up the switch’s memory allocated for the MAC address table, causing it to overflow and become unable to store any more entries.
Once the table becomes full, the switch will not be able to find any matching port for the incoming frames. As a result, it will resWhen a device on the network wants to communicate with another device, it sends an Ethernet frame containing, among other information, the source MAC address and the destination MAC address. The switch receives this frame and uses the destination MAC address to find the correct port in the MAC address table. It then forwards the frame out of that port only, reducing network congestion and increasing security. ort to broadcasting all frames to all ports, turning the switch into a hub. This will create a lot of network traffic and potentially cause a denial of service (DoS) condition.
Moreover, this will allow the attacker to intercept or modify any data packets that are being transmitted between other devices on the network. The attacker can use a packet analyzer tool to capture sensitive data such as passwords, credit card numbers, or personal information. The attacker can also use this access to launch further attacks on other devices or servers on the network.
How to Detect MAC Flooding Attack?
To detect MAC flooding attacks, network operators can use various tools and techniques such as:
Network monitoring
This involves using software or hardware tools that collect and analyze network traffic data and alert operators of any anomalies or suspicious activities. For example, a sudden spike in broadcast traffic or unknown MAC addresses could indicate a possible MAC flooding attack.
Network auditing
This involves periodically checking and verifying the configuration and status of network devices and ensuring they comply with security policies and standards. For example, checking if port security or MAC authentication are enabled and working properly could prevent or mitigate a potential MAC flooding attack.
Network testing
This involves performing simulated attacks or penetration tests on the network to evaluate its vulnerability and resilience to various types of cyber attacks, including MAC flooding. For example, using tools such as ettercap to generate fake MAC addresses and flood the switch could reveal any weaknesses or gaps in the network security.
MAC Spoofing Attack
MAC spoofing is a type of cyber attack where an attacker alters or impersonates the Media Access Control (MAC) address of a network interface card (NIC) to deceive network devices and gain unauthorized access to a network. This technique allows the attacker to masquerade as a legitimate device on the network and potentially bypass security measures that rely on MAC addresses for identification. By changing the MAC address of their NIC to match that of an authorized device on the network, the attacker can trick network switches, routers, or access points into believing that they are legitimate devices. This can enable the attacker to circumvent access restrictions and potentially intercept or modify network traffic.
MAC spoofing can be particularly effective when combined with other attacks or used in conjunction with techniques like MAC flooding. By spoofing the MAC address of a trusted device, the attacker can launch attacks that appear to originate from an authorized source, making it more challenging to identify and block their activities. One potential use of MAC spoofing is to deceive network switches into forwarding traffic destined for a specific device to the attacker’s own machine. This can enable the attacker to eavesdrop on the communication intended for the targeted device or launch further attacks, such as network reconnaissance or data manipulation.
Conclusion
MAC flooding and MAC spoofing are two types of cyber attacks that target network switches on a LAN and aim to access user data or cause network disruption. They exploit the mechanism of how switches forward data packets based on MAC addresses and try to overflow or spoof them. To protect the network from these attacks, network operators need to implement various security features and measures on their network equipment and monitor and audit their network performance and configuration regularly. They also need to test their network security against simulated attacks and fix any vulnerabilities or issues they find.