MAC address flooding attack is very common security attack. MAC address table in a switch has the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each.
MAC flooding attacks are sometimes called MAC address table overflow attacks. To understand the mechanism of a MAC address table overflow attack we must recall how does a switch work in the first place.
Switch before attack（正常工作状态）
When switch receives a frame, the switch looks in the MAC address table (sometimes called CAM table) for the destination MAC address. Cisco Catalyst switch models use a MAC address table for Layer 2 switching. When frames arrive on switch ports, the source MAC addresses are learned from Layer 2 packet header and recorded in the MAC address table. If the switch has already learned the mac address of the computer connected to his particular port then an entry exists for the MAC address. In this case the switch forwards the frame to the MAC address port designated in the MAC address table. If the MAC address does not exist, the switch acts like a hub and forwards the frame out every other port on the switch.
Picture 1 – Switch acts as hub with empty mac address table（交换机广播数据帧）
Computer A sends traffic to computer B. The switch receives the frames and looks up the destination MAC address in its MAC address table. If the switch does not have the destination MAC in the MAC address table, the switch then copies the frame and sends it out every switch port like a broadcast. This means that not only PC B receives the frame, PC C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.
Picture 2 – Switch learns mac address from source MAC address in the layer 2 headers from frames – switch is populating his mac table
Normal switch function
PC B receives the frame and sends a reply to PC A. The switch then learns that the MAC address for PC B is located on port 2 and writes that information into the MAC address table. From now on any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The switch is working like it should. This is the main goal of switch functionality, to have separate collision domain for each port on the switch.
Picture 3 – When the switch learns about all MAC addresses on his different ports switch acts like switch – mac address table complete
But this is where the attacker is coming into play. The key to understanding how MAC address table overflow attacks work is to know that MAC address tables are limited in size. MAC flooding makes use of this limitation to send to the switch a whole bunch of fake source MAC addresses until the switch MAC address table is fully loaded and can not save any more MAC address – Port mapping entries. The switch then enters into a fail-open mode that means that it starts acting as a hub. In this situation switch will broadcasts all received packets to all the machines on thenetwork. As a result, the attacker (in our case “PC C”) can see all the frames sent from a victim host to another host without a MAC address table entry.
Picture 4 – Switch Mac flooding attack will populate the entire mac address table with bogus mac addresses