In the "MAC Flooding Attack" tutorial, we explained how to easily saturate the MAC address table (CAM table) of a switch with a large number of MAC addresses. With just a few lines of Python code and the Scapy manipulation program, we turned a switch into a legacy hub device. As a result, the switch started to broadcast received Ethernet frames through all its ports, except for the port the frame was received on.
Cisco has implemented a feature, called switchport port-security, to protect against this type of attack. We can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Let's demonstrate the port security configuration on the Cisco S2 switch, shown in Figure 1. The attacker's Kali Linux machine is connected to the Fa0/1 interface, and our task is to stop the MAC flooding attack.
Figure 1 - Cisco Switch S2 with Configured Port Security
Firstly, we will check the MAC addresses that the switch S2 learned on its port Fa0/1 (Figure 2). The MAC address 9c:2d:cd:11:85:e5 is a dynamically learned MAC of Kali Linux.
S2# show mac address-table interface FastEthernet 0/1
Figure 2 - S2 CAM Table for Interface Fa0/1
1. Secure Dynamic MAC Addresses
We configure port Fa0/1 as an access port so that it never becomes a trunk port regardless of the state of the port at the other end of the link.
S2(config)#i interface FastEthernet 0/1
S2(config-if)# switchport mode access
Note: An access port is a port that can be assigned to a single VLAN. It is used to connect the end host to the network.
Now we define the maximum number of secure MAC addresses for port Fa0/1. Let's say that we expect a maximum of three MAC addresses on port Fa0/1, so we can connect three end hosts to the port:
S2(config-if)# switchport port-security maximum 3
Note: When a Cisco IP phone is connected to a switch access port, the number of MAC addresses assigned to the port can reach 3. This corresponds to the MAC address of the phone in the access (data) VLAN, the MAC address of the phone in the voice VLAN, and finally the MAC address of the computer connected to phone.
Now we will configure the port-security mode, which defines how a switch reacts to a security violation on port Fa0/1:
S2(config-if)# switchport port-security violation shutdown
- Shutdown: This is the default mode. In this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter.
- Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until we remove a sufficient number of secure MAC addresses. We can also increase the number of maximum allowable addresses. In this mode, we are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
- Protect: Same as Restrict mode but we are not notified that a security violation has occurred.
As the final step, we need to enable port-security on port Fa0/1:
S2(config-if)# switchport port-security
The configuration of port Fa0/1 is shown in Figure 3. The port security mode "disable" is the default mode, so the line with this configuration is not visible.
Figure 3 - Fa0/1 Port Security Configuration
To check the contents of the secure MAC address table, enter the command below (Figure 4):
S2# show port-security address
Figure 4 - S2 Secure MAC Address Table with KALI Linux MAC Address Learned Dynamically
The Secure MAC Address Table of switch S2 contains an entry with the MAC address of Kali Linux 9c:2d:cd:11:85:e5, and it is assigned to port Fa0/1. The MAC address is type "Secure Dynamic" which means that it is learnt dynamically and stored only in the address table. Dynamically learned MAC addresses are removed when the switch is rebooted.
We can security-port configuration for the port Fa0/1 with the command below (Figure 5):
S2# show port-security interface fastEthernet 0/1
Figure 5 - Checking Port Security Statistics, Status and Configuration for Fa0/1
The port status is secure-up. If a port security violation is presented on a port, we will see the "Port Status" as "Secure-Down".
"Total MAC addresses" count is 1 from maximum three configured MAC addresses. This is a Kali Linux MAC address learned by the switch itself. Two slots for unknown source MAC addresses are still available so "Security Violation Count" is zero. If switch S2 detected an Ethernet frame with a fourth unknown source MAC address on Fa0/1, "security violation count" would be incremented to 1.
Let's us Scapy on Kali to generate two Ethernet frames with random source MAC address and the broadcast destination MAC address and send them to S2.
Kali$ sudo su
Kali# scapy
Kali# pkt = Ether(dst="ff:ff:ff:ff:ff:ff", src=RandMAC())
Kali# sendp(pkt, iface="eth0", count=2)
Done. Now check the secure MAC table again (Figure 6):
S2# show port-security address
Figure 6 - S2 Secure MAC Address Table with Three MAC Address Learned Dynamically
They are three MAC addresses stored in the Secure MAC Address Table; all are dynamically learned. We can also check port security statistics again for Fa0/1 (Figure 7):
S2# show port-security interface fastEthernet 0/1
Figure 7 - Checking Port Security Statistics, Status and Configuration for Fa0/1
Aging is disabled, so MAC addresses are kept in the CAM table until the switch is rebooted.
Generate Ethernet frame with new source MAC address again and send it to S2.
Kali# sendp(pkt, iface="eth0", count=1)
The port Fa0/1 will go to error-disable state (Figure 8):
S2# show interfaces status err-disabled
Figure 8 - Interface Fa0/1 in Error Disabled State
When a secure port is in the error-disabled state, we can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or we can manually re-enable it by entering the shutdown and no shutdown interface configuration commands:
S2(config)# interface fastEthernet 0/1
S2(config-if)# shutdown
S2(config-if)# no shutdown
2. Secure Static MAC Addresses
We can define the MAC addresses of hosts that can connect to the switch by adding them to the "Secure MAC Address Table". These are "Static secure MAC addresses that are stored in a switch configuration file, so they will remain in the table even after the switch is rebooted. The number of statically configured MAC addresses on a port must be equal to or less than the maximum number of MAC addresses configured for that port.
The MAC address of the Kali Linux system is 9c2d.cd11.85e5, so we can configure it as a secure static MAC address:
S2(config-if)# interface fastEthernet 0/1
S2(config-if)# shutdown
S2(config-if)# switchport mode access
S2(config-if)# switchport port-security maximum 3
S2(config-if)# switchport port-security mac-address 9c2d.cd11.85e5
S2(config-if)# switchport port-security
S2(config-if)# no shutdown
Figure 9 - Static Secure MAC Address of KALI Linux Stored in Secure MAC Address Table of S2
We have configured one secure MAC address, leaving two slots for additional two MAC addresses. They can be statically configured or dynamically learned. We will send additional two Ethernet frames to S2 with different source MAC addresses:
Kali# sendp(pkt, iface="eth0", count=2)
Figure 10 - Static and Dynamic Secure MAC Addresses in Secure MAC Address Table of S2
The first and third MAC addresses are of type SecureDynamic, learned by the switch, and will not survive a switch reboot. The second MAC address 9c2d.cd11.85e5 is Kali Linux address that we have already configured. The port status is Secure-up, because we do not exceed the limit of maximum 3 MAC addresses. Therefore, the number of security violations is still zero (Figure 11|.
Figure 11 - Maximum Limit of three MAC Addresses on PortFa0/1 of S2 Reached
After resending the Ethernet frame to S2, port Fa0/1 switches from Secure-up to Secure-Shutdown (Figure 12).
Kali# sendp(pkt, iface="eth0", count=1)
.
Figure 12 - Interface Fa0/1 in Secure-shutdown State
The interface Fa0/1 is now in error-disabled state.
End.