0

I'm specifically referring to the macof tool (part of the dsniff package).

As I understand it, MAC flooding is meant to overload a switch's CAM table, which maps MAC addresses to switch ports.

Where does specifying IP addresses and/or TCP ports fit into this?

Does doing so allow an attacker to bypass a Layer 3 switch's filters, ones that filter traffic based on IP addresses and/or TCP ports?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nadim Hussami
  • 101
  • 3
  • I googled "macof" and this was the 2nd hit: https://kalilinuxtutorials.com/macof/ – schroeder Sep 07 '20 at 11:03
  • I already did that and read that article. I wanted a clearer explanation. – Nadim Hussami Sep 07 '20 at 11:21
  • Ok, if you already have some foundational knowledge, then it is useful to include what you *do* understand so that we know what you really need to know. For instance, why is that article not clear? Do you see the difference in the images between the first and second attacks? – schroeder Sep 07 '20 at 11:39
  • I did that, and I ventured a guess too. Could you tell me how that article does answer the question? It suggests that some switches "do not allow spoofing of ARP packets". But if we're sending packets with bogus MAC addresses (even with a specified IP address), the packets are still spoofed. It's contradictory. And the article doesn't address my question regarding IP addresses and TCP ports, and their relation to CAM tables. – Nadim Hussami Sep 07 '20 at 12:05
  • As far as I can tell the difference between the two images is that in the second one, the destination IP address is specified (and constant) for all the packets. But I already understood that from the syntax of the command. Is there something else? – Nadim Hussami Sep 07 '20 at 12:11

0 Answers0