MAC flooding
   HOME

TheInfoList



Click Here for Items Related To - MAC flooding
OR:
MAC flooding on:   [Wikipedia]   [Google]   [Amazon]

In
computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
, a media access control attack or MAC flooding is a technique employed to compromise the security of
network switch A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A netw ...
es. The attack works by forcing legitimate
MAC table A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface shou ...
contents out of the switch and forcing a
unicast flood In computer networking, a unicast flood is when a switch receives a unicast frame and treats it as a broadcast frame, flooding the frame to all other ports on the switch. Background The term ''unicast'' refers to a one-to-one transmission from one ...
ing behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.


Attack method

Switches maintain a
MAC table A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface shou ...
that maps individual
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking tec ...
es on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately
broadcasting Broadcasting is the distribution of audio or video content to a dispersed audience via any electronic mass communications medium, but typically one using the electromagnetic spectrum ( radio waves), in a one-to-many model. Broadcasting beg ...
the data out of all ports as an
Ethernet hub An Ethernet hub, active hub, network hub, repeater hub, multiport repeater, or simply hub is a network hardware device for connecting multiple Ethernet devices together and making them act as a single network segment. It has multiple input/out ...
does. The advantage of this method is that data is bridged exclusively to the
network segment A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations. Ethernet According to the defining IEEE 802.3 standards ...
containing the computer that the data is specifically destined for. In a typical MAC flooding attack, a switch is fed many
Ethernet frame In computer networking, an Ethernet frame is a data link layer protocol data unit and uses the underlying Ethernet physical layer transport mechanisms. In other words, a data unit on an Ethernet link transports an Ethernet frame as its payload ...
s, each containing different source MAC addresses, by the attacker. The intention is to consume the limited
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered ...
set aside in the switch to store the MAC address table. The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name. After launching a successful MAC flooding attack, a malicious user can use a
packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...
to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an
ARP spoofing In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends ( spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the a ...
attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack. MAC flooding can also be used as a rudimentary
VLAN hopping VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that woul ...
attack.


Counter measures

To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment: * With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations. A smaller table of ''secure'' MAC addresses is maintained in addition to (and as a subset to) the traditional MAC address table. * Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered. * Implementations of IEEE 802.1X suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address. * Security features to prevent
ARP spoofing In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends ( spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the a ...
or IP address spoofing in some cases may also perform additional MAC address filtering on unicast packets, however this is an implementation-dependent side-effect. * Additional security measures are sometimes applied along with the above to prevent normal
unicast flood In computer networking, a unicast flood is when a switch receives a unicast frame and treats it as a broadcast frame, flooding the frame to all other ports on the switch. Background The term ''unicast'' refers to a one-to-one transmission from one ...
ing for unknown MAC addresses. This feature usually relies on the "port security" feature to retain all ''secure'' MAC addresses for at least as long as they remain in the ARP table of layer 3 devices. Hence, the aging time of learned ''secure'' MAC addresses is separately adjustable. This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.


References

{{DEFAULTSORT:Mac Flooding Ethernet Computer network security