MAC Flooding Attack

Unlike a hub, a switch is a network device that typically does not forward a received Ethernet frame to all switchport except the port from which it previously received the frame. Instead, it looks up the frame's destination MAC address in its Content Addressable Memory (CAM) aka MAC address table. If a match is found, the switch finds the switch port paired with the destination MAC address and sends it through that single port. If a source MAC address of the frame is not in the CAM, the switch sends the frame to all switch ports in the hope that the frame will eventually reach the destination.

So, the question now is how the switch fills the CAM table with the MAC addresses. The MAC learning process is simple; if the source MAC address in a received frame is not already in CAM the frame is "unknown" for he switch. The switch will store the MAC address along with the name of the switchport (e.g. GigabitEthernet0/0) and VLAN ID into the CAM.

Note: CAM can only store a limited number of MAC addresses. The aging time indicates how long the switch retains a MAC address in CAM memory. When the timeout for a particular MAC is reached, the switch removes that MAC from the CAM.

The MAC flooding attack exploits the switch's MAC address learning and forwarding decisions for unknown frames. The attacker's goal is to flood the CAM tables of all switches in a network segment (or VLAN) with a large number of spoofed MAC addresses. As a result, switches cannot store any other MAC addresses in their CAM tables because they are all full of spoofed MAC addresses. The switches are then forced to send legitimate frames to all their switch ports because this is how they operate when receiving an unknown frame. Using the routing analogy, there are no "learned routes" in the routing table (CAM), so the switch simply uses the "default route" - it sends the frame through all its ports.

If the attacker continues to send a large number of fake frames, the CAMs of all switches will soon be full. Finally, although a legitimate frame reaches its destination, a copy of it also ends up in a part of the network where it should not be. An attacker connected to a switch port on this network segment can thus intercept the traffic of other users.

MAC Flooding Attack

Our network topology consists of two Cisco switches S1 and S2, router R1, and two hosts PC1 and Kali Linux (Figure 1).

Figure 1 - MAC Flooding with Scapy

A MAC address flooding attack can be launched with just two commands of the interactive Scapy packet manipulation program. which is installed on Kali Linux. Open terminal and and start Scapy console with root privileges.

$ sudo su
# scapy

Create L2 frame pkt with a random source MAC address and destination MAC which is L2 broadcast.

>>> pkt = Ether(dst="ff:ff:ff:ff:ff:ff", src=RandMAC())

Start sending an L2 frame in a loop from the eth0 interface with a 0-second interval between frames. Increase the interval if necessary to slow down the sending of frames.

>> sendp(pkt, iface="eth0", loop=1, inter=0)

A MAC flooding attack is noisy and can be easily detected by checking the switch's CAM table and discovering a large number of MAC addresses associated with an access port (Figure 1).

S1# show mac address-table

Figure 2 - Checking CAM Table of Switch S1

Checking the number of all learned MAC addresses on the switches is also helpful. Figures 3 and 4 show the number of MAC addresses assigned to all ports on switches S2 and S1.

Figure 3 - Total Number of MAC Addresses Learned by S2

The total number of MAC addresses learned by S1 is 19270 and is almost identical to the 12269 MAC addresses learned by S2 (Figure 4). If an attacker filled the entire CAM memory of both switches (a total of 68175608 MACs), he would be able to intercept the communication between PC1 and R1.

Figure 4 - Total Number of MAC Addresses Learned by S1

MAC Address Maximum Aging Time

The MAC address table can store a number of unicast address entries without flooding any frames. The switch uses an aging mechanism, defined by a configurable aging timer.  If an address remains inactive for a specified number of seconds, it is removed from the address table. The default aging time is 300 seconds for a Cisco switch.

The value of aging time can be configured with the following command:

S2(config)# mac address-table aging-time 0

A value of 0 disables aging, so the switch retains the MAC address in the CAM table until reboot.

In order to completely fill the CAM table with spoofed MAC addresses, the attacker must generate fake frames as quickly as possible, otherwise the aging time is reached and the MAC addresses are removed from the CAM. As a result, user traffic will not be sent through all switch ports. The performance of generating fake frames is therefore crucial and we will try to find the best method to achieve this.

Testing Performance of Generating Spoofed Ethernet frames with Different Scapy Methods

1. Generating and Sending Frames One by One with Sendp

The mac_flooding1.py script is pretty self-explanatory; it uses sendp to generate the frame at layer 2 and sends it over the eth0 interface. In total, 100 000 frames are generated and sent, and it takes almost 30 seconds (Figure 5).

$ sudo su
# time python3 ./mac_flooding1.py

Figure 5 - Performance of MAC_Flooding 1 Script

2. Sending Frames from Pcap File with Sendp

First, we use the generate_pcap.py script to create the spoofed_frames.pcap file which contains 100 000 spoofed Ethernet frames.

$ sudo su
# python3 ./generate_pcap.py

Count the packets in the pcap file using tshark to verify that the pcap file was successfully generated:

# tshark -r spoofed_frames.pcap | wc -l

Run the mac_flooding2.py script, which reads the spoofed_frames.pcap file and sends the packets it contains using the sendp command:

# time python3 ./mac_flooding2.py

Figure 6 - Performance of MAC_Flooding 2 Script

It takes almost 27 seconds to read and send packets from a pcap file. The performance is slightly better, but the result is not impressive.

3. Sending Frames from Pcap File with Tcpreplay

Finally, we will send packets much faster on layer 2 using the mac_flooding3.py. We will use the same pcap file spoofed_frames.pcap that we created during the second test. Before the test, however, we need to install the tcpreplay program, which is a utility to replay saved tcp dumps at any speed. We can check this with the command:

# dpkg -l | grep tcpreplay

When tcpreplay is installed we can run our script:

# time python3 ./mac_flooding3.py

Figure 7 - Performance of MAC_Flooding 3 Script

It takes approximately 14 seconds to read and send packets from a pcap file. This is the best performance achieved, so we recommend this method to quickly populate the switch's CAM table with spoofed MAC addresses.

In the next section, we will discuss methods that we can use to prevent or stop a MAC flooding attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.