computer networking A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...

, a media access control attack or MAC flooding is a technique employed to compromise the security of

network switch A network switch (also called switching hub, bridging hub, Ethernet switch, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destinat ...

es. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.

Attack method

Switches maintain a MAC table that maps individual

MAC address A MAC address (short for medium access control address or media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use i ...

es on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately

broadcasting Broadcasting is the data distribution, distribution of sound, audio audiovisual content to dispersed audiences via a electronic medium (communication), mass communications medium, typically one using the electromagnetic spectrum (radio waves), ...

the data out of all ports as an

Ethernet hub An Ethernet hub, active hub, network hub, repeater hub, multiport repeater, or simply hub is a network hardware device for connecting multiple Ethernet devices together and making them act as a single network segment. It has multiple input/out ...

does. The advantage of this method is that data is bridged exclusively to the

network segment A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations. Ethernet According to the defining IEEE 802.3 standards ...

containing the computer that the data is specifically destined for. In a typical MAC flooding attack, a switch is fed many

Ethernet frame In computer networking, an Ethernet frame is a data link layer protocol data unit and uses the underlying Ethernet physical layer transport mechanisms. In other words, a data unit on an Ethernet link transports an Ethernet frame as its paylo ...

s, each containing a different source MAC address, by the attacker. The intention is to consume the limited

memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembe ...

set aside in the switch to store the MAC address table. The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be

flooded A flood is an overflow of water ( or rarely other fluids) that submerges land that is usually dry. In the sense of "flowing water", the word may also be applied to the inflow of the tide. Floods are of significant concern in agriculture, civ ...

out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name. After launching a successful MAC flooding attack, a malicious user can use a

packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...

to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an

ARP spoofing In computer networking, ARP spoofing (also ARP cache poisoning or ARP poison routing) is a technique by which an attacker sends ( spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate ...

attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack. MAC flooding can also be used as a rudimentary VLAN hopping attack.

Countermeasures

To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment: * With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations. A smaller table of ''secure'' MAC addresses is maintained in addition to (and as a subset to) the conventional MAC address table. * Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered. * Implementations of IEEE 802.1X suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address. * Security features to prevent

IP address spoofing In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system. Background The basic protocol for sending ...

in some cases may also perform additional MAC address filtering on unicast packets, however this is an implementation-dependent side-effect. * Additional security measures are sometimes applied along with the above to prevent normal unicast flooding for unknown MAC addresses. This feature usually relies on the "port security" feature to retain all ''secure'' MAC addresses for at least as long as they remain in the ARP table of layer 3 devices. Hence, the aging time of learned ''secure'' MAC addresses is separately adjustable. This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.

References

{{DEFAULTSORT:Mac Flooding Ethernet Computer network security