6

On a recent switch, is MAC flooding still a vulnerability to be careful of? If that attack is patched on most of them, then on which type of switch is it still vulnerable?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bob Ebert
  • 246
  • 2
  • 11

1 Answers1

7

Yes, this it still is a threat and this is why:

MAC flooding is based on the overflow of the CAM Table (Content Access Memory). The CAM table assigns physical ports to MAC addresses. The CAM table has a limited size and if you manage to exceed that size the switch isn't able anymore to assign new MAC addresses to a physical port. In this situation the switch can do one of three things:

  1. Go to Fail Open mode, which turns the switch into a hub, which means that everyone gets to see everything. One could then sniff the traffic of all connected clients.

  2. Go to Fail Off mode, which causes the switch to keep the existing MAC-Addresses in the CAM-Table but wont add new which will result in new clients being locked out of the network.

  3. The switch uses the CAM table like a ring memory, which means that the addresses that haven't been seen for the longest period get droped. This can be a practical solution for home switches because it's unlikely that you connect some thousand hosts to a DSL router

I also had a situation where a switch crashed complely after I caused an overflow of the CAM-Table. But this was a relativly cheap switch for the home envirnment to be honest.

Though this vulnerablity is kind of system inherent it can't be fixed like other system inherent vulnerabilities. You can prevent it by using port security, which I suggest you to do. If you're the attacker in a pentest you can attack this vulnerablity by using the tool macoff, which generates loads of ethernet packages with randomly generated MAC addresses to cause an overflow in the CAM table.

I tested it successfully on some Cisco switches, a Netgear switch and some usual desktop switches.

davidb
  • 4,285
  • 3
  • 19
  • 31
  • You wrote 3 options, in which case one would happen? Meaning, how do I know which option will be executed? – Bob Ebert Oct 10 '15 at 23:23
  • In most cases you have to try. When you have a buissness level switch from cisco or juniper you can maybe look it up in the manual section about port security – davidb Oct 10 '15 at 23:25
  • Does it depends on the router and the version running? (if I run a nmap to find os version of router and then lookup the manual on the internet) AND can you please devlop a little on your third option? :) – Bob Ebert Oct 10 '15 at 23:31
  • For "home routers" it depends on the firmware. When it comes to buissnes level switches it depends on the configuration. – davidb Oct 10 '15 at 23:33
  • I have to ask, if I want to test it with a programming language, I would send arp packets from a random mac to another mac? or ether packet? – Bob Ebert Oct 10 '15 at 23:45
  • You dont need arp packages you can send any ethernet packages with spoofed, randomly generated mac addresses. Only the source address will be inserted into the CAM table so the destination port can also be a real MAC Address. – davidb Oct 10 '15 at 23:47
  • Thank you so much!! One last thing, in general, on a really small buisness router / home router, what option would be generally executed? (I will try it when I pentest but curious to know the most common reaction ) – Bob Ebert Oct 10 '15 at 23:51
  • 1
    Fail Open is the most common I think because it keeps the network running. – davidb Oct 10 '15 at 23:54
  • 1
    Switching on *Fail off* mode, a switch won't add new entries. But the existing ones in CAM will continue to work until their end of life. This may not lead to a total DoS. Old registered MAC with regular traffic will continue to work. New ones won't enter the network. This abnormal behaviour is the clear symptom of an internal DoS through CAM or ARP flooding. – dan Oct 11 '15 at 13:27
  • Hmm might be that I misinterpreted this. I once had a situation where the switch did crash completely and didn't deliver any package but to be honest that wasn't a buissnes class switch^^ – davidb Oct 11 '15 at 13:38
  • @daniel Azuelos: I checked it and you were right. Corrected the post. Thanks for your comment! – davidb Oct 11 '15 at 13:42