MAC address flooding attack in campus network

Theory

Hub is a network device which forwards Ethernet received frames to all the ports except the port on which hub previously received frames. This is not very secured method because traffic is send to every port and could be captured by attacker.

Unlike hub switch can forward traffic according to destination MAC address in received Ethernet frame.  It must be able to inspect Ethernet header and choose outgoing switch port in particular VLAN. For doing this it needs to maintain MAC address table and be able to find destination MAC address, outgoing port,  and VLAN.

Bellow is a MAC address table of Cisco 2960 8 ports switch.  Notice an entry I  write with red colour. If switch receives frame with destination MAc address  001a.4b79.70b8 on Fa 0/4 port it switches this frame to port Fa 0/1 if the the port Fa 0/4 is VLAN100.

2960-I#show mac address-table

Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
100    001a.4b79.70b8    DYNAMIC     Fa0/1
Total Mac Addresses for this criterion: 21

If the port Fa 0/4 is in VLAN 200 switch can't use any entry in MAC address table because there is not any MAC address in VLAN200. Switch needs to be sure that the frame will be delivered to end PC so it floods frame to all the switch ports except the port Fa 0/4.

How  do MAC addresses get to switch MAC address table?  They cloud be added as static entry with administrator:

2960-I(config)#mac address-table static 0000.aaaa.bbbb vlan 100 interface Fa 0/5

This command adds MAC address 0000.aaaa.bbbb to switch port Fa 0/5 for VLAN 100. They are totally 22 MAC addresses in MAC address table now.

2960-I#show mac address-table

Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
100    0000.aaaa.bbbb    STATIC      Fa0/5
100    001a.4b79.70b8    DYNAMIC     Fa0/1

Total Mac Addresses for this criterion: 22

MAC addresses are also dynamically learned by switch. Switch looks up not only destination MAC address in Ethernet header but it learns source MAC address of received frame and copy it to MAC address table. This source MAC address is MAC of network card (or other network device) and is rememebered with switch port on that was frame received and VLAN on this port.

Dynamically learned MAC address are marked as DYNAMIC in MAC address table. Similarly manually created MAC addresses are marked as STATIC in MAC address table.

MAC flooding attack is method how to force switch behaves as hub device.  Attacked switch sends traffic to every switch port  and  trafic (phone calls, hash passwords etc.) can be captured by attacker.

The idea is simple - switch can learn only given number of MAC address because of  hardware limit of MAC address table . After the limit of  MAC address is reached MAC address table is full. Switch can't learn any new MAC address and traffic is send to every port in VLAN where the attack starts.

All the attacker needs to do is poison switch with many fake MAC address that fills up entire MAC address table. Switch learns these fake MAC addresses and fake frames are also flooded to all switch ports in particular VLAN. Other switches  in campus network also learn fake MAC addresses and flood fake MAC further.

After some time all the switches which have switch port in VLAN where attack started will have MAC address table. full of fake MAC addresses. Normal user traffic in attacker VLAN is flooded trough all the switch port and if the attack is doing enough time attacker can captures data he needs.

When attacker captures enough amount of data he stops attack. After the aging time is expired fake MAC addresses are deleted by switch from switch MAC address table.

1. Installing DSNIFF tool:

You can do MAC flooding attack with tool called Macof.  It is the part of Dsniff which can be installed  with this command on Fedora Linux:

[root@Compaq8510w brezular]# yum install dsniff

2. Checking MAC address table and CPU load before attack

First check how many MAC addresses are in the table:

2960-I#show mac address-table count

Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count  : 0
Static  Address Count  : 0
Total Mac Addresses    : 0

Mac Entries for Vlan 100:
---------------------------
Dynamic Address Count  : 1
Static  Address Count  : 1
Total Mac Addresses    : 2

Total Mac Address Space Available: 8046

We can see that 2 MAC addresses are presented in MAC address table for VLAN 100.  The first one is dynamically learned by switch and the second one is statically  added by administrator. There is a free space for  other 8046 address they can be added to MAC address table.

Now check the current CPU load:

2960-I#show processes cpu
CPU utilization for five seconds: 5%/0%; one minute: 10%; five minutes: 11%

I am just curious if MAC flooding attack has impact on CPU load.

3. MAC address flooding attack

a) The first MAC address flooding attack

It is time to make our first MAC flooding attack. We have Cisco Catalyst 2960 (WS-C2960-8TC-L) with 8 FastEthernet ports  and FastEthernet 0/1 is conected  to laptop Compaq 8510w with Linux Fedora 13 and dsniff installed.  Start macof utility:

[root@Compaq8510w brezular]#macof

b6:c4:3:58:97:10 4b:99:65:4b:6f:6 0.0.0.0.56527 > 0.0.0.0.53481: S 1204762615:1204762615(0) win 512
1b:1b:f2:4f:53:27 61:dd:57:7c:38:47 0.0.0.0.48781 > 0.0.0.0.64071: S 1895482790:1895482790(0) win 512
54:c0:68:51:50:85 6c:3b:12:61:8a:70 0.0.0.0.54040 > 0.0.0.0.29400: S 352722634:352722634(0) win 512
1a:7f:7c:6f:8a:50 e7:b5:16:6d:48:53 0.0.0.0.55501 > 0.0.0.0.13256: S 2142129962:2142129962(0) win 512
42:63:9e:11:e5:b9 af:9c:37:63:9a:4e 0.0.0.0.26158 > 0.0.0.0.16299: S 1230975236:1230975236(0) win 512
f8:20:8c:7b:20:c bd:e6:61:3b:2:b9 0.0.0.0.11748 > 0.0.0.0.20420: S 1638533473:1638533473(0) win 512
51:a4:d8:3d:a2:d9 9c:b6:a2:7b:27:85 0.0.0.0.33558 > 0.0.0.0.34232: S 1602379134:1602379134(0) win 512
1d:27:2f:37:e2:31 5:f6:ce:15:33:de 0.0.0.0.24142 > 0.0.0.0.26282: S 1964332936:1964332936(0) win 512
ae:43:3e:72:42:2c 5b:35:5e:16:21:5f 0.0.0.0.30837 > 0.0.0.0.41119: S 647717601:647717601(0) win 512
a0:a6:5:5c:24:c1 b3:4a:c8:78:f2:55 0.0.0.0.178 > 0.0.0.0.23826: S 804427713:804427713(0) win 512
e4:bc:7b:28:9:13 5a:89:b2:4e:af:8c 0.0.0.0.20137 > 0.0.0.0.4418: S 1360529247:1360529247(0) win 512
7a:84:58:45:ef:63 ef:5f:f7:6c:15:4b 0.0.0.0.42497 > 0.0.0.0.30053: S 728605699:728605699(0) win 512

<output is truncated>

They are plenty of frames generated with  Macof utility. Macof generates between 10 000 and 15 000 packets per second. Each packet is sent with random source and destination IP address. Also source and destination  MAC address is  different for each Ethernet frame:

Attack is stopped approximately after 15 seconds.  The log message appears on switch console:

2960-I#
*Mar  1 01:08:39: %SYS-3-CPUHOG: Task is running for (2111)msecs, more than (2000)msecs (31/0),process = HLFM address learning process.
-Traceback= 5269A8 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01:08:41: %SYS-3-CPUHOG: Task is running for (4222)msecs, more than (2000)msecs (69/0),process = HLFM address learning process.
-Traceback= 136DA74 136DB90 11614B4 116173C 4FB6F8 509698 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01
2960-I#:08:44: %SYS-3-CPUHOG: Task is running for (6331)msecs, more than (2000)msecs (98/0),process = HLFM address learning process.
-Traceback= 116248C 116291C 526940 528C38 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01:08:46: %SYS-3-CPUHOG: Task is running for (8438)msecs, more than (2000)msecs (125/0),process = HLFM address learning process.
-Traceback= 1162734 116291C 528BEC 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1
2960-I# 01:08:48: %SYS-3-CPUHOG: Task is running for (10537)msecs, more than (2000)msecs (137/0),process = HLFM address learning process.
-Traceback= 5269AC 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028 2960-I#
*Mar  1 01:08:39: %SYS-3-CPUHOG: Task is running for (2111)msecs, more than (2000)msecs (31/0),process = HLFM address learning process.
-Traceback= 5269A8 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01:08:41: %SYS-3-CPUHOG: Task is running for (4222)msecs, more than (2000)msecs (69/0),process = HLFM address learning process.
-Traceback= 136DA74 136DB90 11614B4 116173C 4FB6F8 509698 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01
2960-I#:08:44: %SYS-3-CPUHOG: Task is running for (6331)msecs, more than (2000)msecs (98/0),process = HLFM address learning process.
-Traceback= 116248C 116291C 526940 528C38 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1 01:08:46: %SYS-3-CPUHOG: Task is running for (8438)msecs, more than (2000)msecs (125/0),process = HLFM address learning process.
-Traceback= 1162734 116291C 528BEC 5270CC 509B04 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028
*Mar  1
2960-I# 01:08:48: %SYS-3-CPUHOG: Task is running for (10537)msecs, more than (2000)msecs (137/0),process = HLFM address learning process.
-Traceback= 5269AC 526AC8 509750 16D8C8 16F058 502F7C 5032FC 50343C 4FF06C 4FF1F0 11BB59C 11B2028

MAC address learning process last more than 2 seconds and switch complains about it.

In the output bellow there is  the CPU utilization showed immediately after end of attack. The CPU load is 95% last five second.  Apparently this high CPU utilization is caused by MAC flooding attack.

2960-I#show processes cpu
CPU utilization for five seconds: 95%/10%; one minute: 12%; five minutes: 7%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
1           0         8          0  0.00%  0.00%  0.00%   0 Chunk Manager
2           0       150          0  0.00%  0.00%  0.00%   0 Load Meter
3           0         2          0  0.00%  0.00%  0.00%   0 SpanTree Helper
4        1125       156       7211  0.00%  0.08%  0.05%   0 Check heaps

<output is truncated>

b) The second MAC address flooding attack

I will repeat MAC address flooding again to be sure that  high CPU utilization is caused by attack. I  wait short time and after few seconds CPU utilization goes back to 5% (the value before attack). I start the second attack and I show CPU utilization immediately after the end of flooding (Ctrl-C stops the macof utility).

2960-I#show processes cpu
CPU utilization for five seconds: 96%/10%; one minute: 12%; five minutes: 6%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process

Now we can be sure that this type of attack impact on CPU of Cisco Catalyst 2960 switch.

In the output bellow there is numeber of MAC addresses that we force switch to learn:

2960-I#show mac address-table count

Mac Entries for Vlan 100:
---------------------------
Dynamic Address Count  : 7962
Static  Address Count  : 1
Total Mac Addresses    : 7963

Total Mac Address Space Available: 78

MAC address table is almost full - only 78 MAC addresses can be added to MAC address table and after that switch will start flooding normal user traffic out of its ports.

c) The third MAC address flooding attack

In the second test we checked that CPU of 8-ports Catalyst 2960 was be impacted by MAC flooding attack. In the third test and I will keep attack running several minutes.

After five minutes switch starts reloading and after its boot this error message appears on console:

*Mar  1 01:01:44: %PLATFORM-1-CRASHED: System previously crashed with the following message:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Technical Support: http://www.cisco.com/techsupport
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Copyright (c) 1986-2010 by Cisco Systems, Inc.
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Compiled Wed 21-Apr-10 05:52 by prod_rel_team
*Mar  1 01
2960-I# :01:44: %PLATFORM-1-CRASHED:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Program Exception (0x0700)!
*Mar  1 01:01:44: %PLATFORM-1-CRASHED:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: SRR0 = 0x031A5188  SRR1 = 0x00021200  SRR2 = 0x009F1E58  SRR3 = 0x00021200
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: ESR = 0x08000000  DEAR = 0x00000000  TSR = 0x84000000  DBSR = 0x00000000
*Mar  1 01:01:44: %PLATFORM-1-CRASHED:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: CPU Register Context:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED
2960-I# : Vector = 0x00000700  PC = 0x031A5188  MSR = 0x00021200  CR = 0x30000035
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: LR = 0x031A5188  CTR = 0x00000000  XER = 0xE000007D
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R0 = 0x00000001  R1 = 0x02650CD8  R2 = 0x00000000  R3 = 0x00000000
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R4 = 0x031A5188  R5 = 0x004FB830  R6 = 0x02650CA0  R7 = 0x00000000
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R8 = 0x00000000  R9 = 0x00000000  R10 = 0x019C2BFC  R11 = 0x01ED4F2C
*Mar  1 01:01:44: %PL
2960-I# ATFORM-1-CRASHED: R12 = 0x01ED8698  R13 = 0x00110000  R14 = 0x01C252AC  R15 = 0x01C252AC
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R16 = 0x01540000  R17 = 0x00000000  R18 = 0x00000001  R19 = 0x00000000
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R20 = 0x00000000  R21 = 0x0279A414  R22 = 0x00000000  R23 = 0x031AE004
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R24 = 0x00000002  R25 = 0x004FB830  R26 = 0x00000000  R27 = 0x01ED81F4
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: R28 = 0x031A5188  R29 = 0x0264CD3C  R30 = 0x031A5
2960-I# 188  R31 = 0x0264CD3C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Stack trace:
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: PC = 0x031A5188, SP = 0x02650CD8
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 00: SP = 0x02650D08    PC = 0x0000004D
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 01: SP = 0x02650D28    PC = 0x0116291C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 02: SP = 0x02650D38    PC = 0x004FB834
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 03: SP = 0x02650DA8
2960-I#    PC = 0x00509AB4
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 04: SP = 0x02650DE8    PC = 0x0016D8C8
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 05: SP = 0x02650E18    PC = 0x0016F058
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 06: SP = 0x02650E68    PC = 0x00502F7C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 07: SP = 0x02650E98    PC = 0x005032FC
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 08: SP = 0x02650EE8    PC = 0x0050343C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 09: SP = 0x02650F48
2960-I#   PC = 0x004FF06C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 10: SP = 0x02650F70    PC = 0x004FF1F0
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 11: SP = 0x02650F78    PC = 0x011BB59C
*Mar  1 01:01:44: %PLATFORM-1-CRASHED: Frame 12: SP = 0x00000000    PC = 0x011B2028
*Mar  1 01:01:44: %PLATFORM-1-CRASHED:
2960-I#

I repeated the third attack three times - two times switch crashed after five minutes and once kept working.  I can't say that switch crash is caused by MAC flooding attack but I think it might help a lot.

In theory, during MAC address flooding attack, switch normally continues working except it floods the traffic out of its ports ( like a hub) .

4. Protection

We can avoid  MAC address flooding attack with configured port-security on switch port.

2960-I(config-if)#do show run int fa 0/1
Building configuration...

Current configuration : 159 bytes
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
end

With only the one line of configuration we limit the port to one MAC address.

2960-I#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

If two frames with different  source MAC addresses appear on Fa 0/1,  port is brought to error-disabled state and only administrator or error-recovery mechanism can bring port up.

End.

Share

Leave a comment

Your email address will not be published. Required fields are marked *