MAC Address Flooding – MAC address table overflow attacks MAC泛洪攻击

概念

MAC address flooding attack is very common security attack. MAC address table in a switch has the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each.

MAC flooding attacks are sometimes called MAC address table overflow attacks. To understand the mechanism of a MAC address table overflow attack we must recall how does a switch work in the first place.

MAC地址泛洪攻击是非常常见的黑客攻击手法,交换机中的MAC地址表包含和物理接口、VLAN相关的物理地址,MAC地址泛洪攻击也成为MAX地址表溢出,为了理解MAC地址表溢出攻击,我们需要首先理解交换机如何工作

Switch before attack(正常工作状态)

When switch receives a frame, the switch looks in the MAC address table (sometimes called CAM table) for the destination MAC address. Cisco Catalyst switch models use a MAC address table for Layer 2 switching. When frames arrive on switch ports, the source MAC addresses are learned from Layer 2 packet header and recorded in the MAC address table. If the switch has already learned the mac address of the computer connected to his particular port then an entry exists for the MAC address. In this case the switch forwards the frame to the MAC address port designated in the MAC address table. If the MAC address does not exist, the switch acts like a hub and forwards the frame out every other port on the switch.

交换机接收到一个帧,它会在MAC地址表中查找主机的目的MAC地址。cisco交换机使用MAC地址表进行二层交换,当数据帧到达交换机端口的时候,交换机会在MAC地址表中记录源MAC地址,如果在交换机的MAC地址表中存在目标主机的MAC地址,交换机会将数据帧转发到相连的物理端口(也可能为虚拟端口),反之,交换机将在每个端口进行广播

Switch as hub empty mac address table
Picture 1 – Switch acts as hub with empty mac address table(交换机广播数据帧)

Computer A sends traffic to computer B. The switch receives the frames and looks up the destination MAC address in its MAC address table. If the switch does not have the destination MAC in the MAC address table, the switch then copies the frame and sends it out every switch port like a broadcast. This means that not only PC B receives the frame, PC C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.

主机A和主机B通讯。交换机收到数据帧并在MAC地址表中查找主机B的MAC地址,如果没有查找到,交换机将复制此数据帧并转发到交换机上的所有端口(广播),意味着不仅主机B可以接收到这个数据帧,主机C同样可以接收到主机A发送到主机B的数据帧,考虑到目的数据帧为主机B,主机C选择丢弃此数据帧

Switch learning mac address - populating table
Picture 2 – Switch learns mac address from source MAC address in the layer 2 headers from frames – switch is populating his mac table

(交换机从数据帧的头部中学习到源MAC地址,并将其填充到交换机的MAC地址表中)
Normal switch function

PC B receives the frame and sends a reply to PC A. The switch then learns that the MAC address for PC B is located on port 2 and writes that information into the MAC address table. From now on any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The switch is working like it should. This is the main goal of switch functionality, to have separate collision domain for each port on the switch.

主机B接收到数据帧并回复给主机A,此时,交换机在端口2上学习到主机B的MAC地址并将此信息填充到交换机的MAC地址表中,此后所有主机A(或其他主机)发送到主机B的数据帧将被转发到端口2(单播),以上就是交换机的工作原理,交换机的的首要功能,在交换机上的每个端口上隔离冲突域

Switch acts like switch - mac address table complete
Picture 3 – When the switch learns about all MAC addresses on his different ports switch acts like switch – mac address table complete

交换机在不同的端口上学习到了所有的mac地址,MAC地址表完成
Attack(攻击)

But this is where the attacker is coming into play. The key to understanding how MAC address table overflow attacks work is to know that MAC address tables are limited in size. MAC flooding makes use of this limitation to send to the switch a whole bunch of fake source MAC addresses until the switch MAC address table is fully loaded and can not save any more MAC address – Port mapping entries. The switch then enters into a fail-open mode that means that it starts acting as a hub. In this situation switch will broadcasts all received packets to all the machines on thenetwork. As a result, the attacker (in our case “PC C”) can see all the frames sent from a victim host to another host without a MAC address table entry.

实施攻击的关键点在于MAC地址表空间是有限的。MAC地址泛洪通过发送大量假冒的源MAC地址导致交换机MAC地址表表达到“满”的状态,此时交换机不能增加任何新的MAC地址,交换机进入一种“fail-open”的状态,开始广播所有接收到的数据帧。

 

Beginning of the Switch Mac flooding attack
Picture 4 – Switch Mac flooding attack will populate the entire mac address table with bogus mac addresses

(交换机MAC地址泛洪攻击:使用假冒的MAC地址填充整个交换机的MAC地址表)
以下为个人想法:
当交换机MAC地址表溢出时会发生什么问题:
1、不能进行正常通讯(这个主要针对交换机缓存中不存在MAC地址的主机对),这个应该是主要结果
2、可截获其他主机通讯

暂无评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

Bitnami