36

I read an article today describing how a penetration tester was able to demonstrate creating a fake bank account with a $14 million balance. However, one paragraph describing the attack stood out:

Then he "flooded" switches -- small boxes that direct data traffic -- to overwhelm the bank's internal network with data. That kind of attack turns the switch into a "hub" that broadcasts data out indiscriminately.

I'm not familiar with the effect that is described. Is it really possible to force a switch to broadcast traffic to all of its ports by sending massive amounts of traffic? What exactly is going on in this situation?

Lucas
  • 485
  • 5
  • 8
  • Some other details at this post/answer: http://serverfault.com/questions/345670/how-does-network-sniffing-software-work-over-a-switch/345676#345676. – jfg956 May 23 '13 at 11:45

3 Answers3

63

This is called MAC flooding. A "MAC address" is an Ethernet hardware address. A switch maintains a CAM table that maps MAC addresses to ports.

If a switch has to send a packet to a MAC address not in its CAM table, it floods it to all ports just like a hub does. So if you flood a switch with a larger number of MAC addresses, you will force the entries of legitimate MAC addresses out of the CAM table and their traffic will be flooded to all ports.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • 2
    Does the switch do anything to prevent or limit this? – TheLQ May 15 '13 at 23:45
  • 17
    Typically no, but that's not its job. A switch's job is to facilitate communication between nodes in a LAN, not implement a security policy or filter information. Switches do this by accident as a consequence of making things faster and people have, foolishly, come to think of this as security. (The same thing happens with NAT.) Security provided "accidentally" as a consequence of doing something else should never be considered real security. There are secure, managed switches that provide security, just as there are NAT implementations that also include actual firewalls. – David Schwartz May 15 '13 at 23:50
8

This is called MAC flooding and makes use of the fact that the CAM tables of switches are of limited length. If they overflow, a switch turns into a hub and sends out every packet to every port, which quickly can grind a network to a halt.

Edited to correct wrong terminology.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 1
    SvW probably meant the MAC address table, which maps MAC addresses to physical ports. Most switches allocate a limited amount of memory for this, and it can easily be exhausted by an attacker sending frames from randomly spoofed MAC addresses. This would cause the switch to flood frames to all ports for any destination MAC address not already in the table. Fortunately, this can be mitigated by limiting the number of MACs that may appear on a given port. – James Sneeringer May 15 '13 at 17:43
  • Right concept, wrong terminology... Close enough for a +1 from me. – Chris S May 16 '13 at 14:34
  • @ChrisS: That was already in the question. Everything the answer added was incorrect. – David Schwartz May 16 '13 at 20:04
  • 1
    @DavidSchwartz: Well, I edited two words where I *obviously* mixed up terminology and now the answer is entirely correct. Quite frankly, that would have been a great opportunity to use the edit function of the site yourself. Instead, people (not necessarily you) use it to replace "teh" with "the" in a 2 year old post... – Sven May 16 '13 at 20:11
  • @SvW: I didn't think it was obvious that you just used the wrong terminology, that switches have something to do with ARP is actually a very common functional misunderstanding. I don't consider it appropriate to use "edit" to completely change someone else's answer, even from incorrect to correct. (Maybe that's a bad policy on my part. I'll search around on meta and see if I'm out of the mainstream in that view.) – David Schwartz May 16 '13 at 21:25
0

As has been explained above, the switch's MAC table is 'poisoned' with fake mac addresses. This is easy to do with the macof program from the dsniff suite of tools. Warning: only try this for educational purposes in your own network, otherwise you will get into deep legal trouble!

http://www.monkey.org/~dugsong/dsniff/

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
Floyd
  • 103
  • 3