MAC Address, ARP, and DHCP Vulnerabilities
CAM table overflow attack

In the diagram in Figure , the machine that belongs to the attacker is on VLAN 10. The attacker floods MAC addresses to port 3/25 on the switch. When the content addressable memory (CAM) table threshold is reached, the switch operates as a hub and simply floods traffic out all ports. This flooding also occurs on adjacent switches configured with VLAN 10, however flooding is limited to only the source VLAN and does not affect other VLANs.

MAC Flooding
MAC flooding is the attempt to exploit the fixed hardware limitations of the CAM table of a switch. The Catalyst switch CAM table stores the source MAC address and the associated port of each device connected to the switch. The CAM table on the Catalyst 6000 can contain 128,000 entries. These 128,000 entries are organized as 8 pages that can store approximately 16,000 entries. A 17 bit hash algorithm is used to place each entry in the CAM table. If the hash results in the same value, each entry is stored on separate pages. Once these eight locations are full, the traffic is flooded out all ports on the same VLAN on which the source traffic is being received.

CAM tables are limited in size. If enough entries are entered into the CAM table before other entries are expired, the CAM table fills up to the point that no new entries can be accepted. Typically a network intruder will flood the switch with a large number of invalid-source MAC addresses until the CAM table fills up. When that occurs, the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table. The switch, in essence, acts like a hub. If the intruder does not maintain the flood of invalid-source MAC addresses, the switch will eventually time out older MAC address entries from the CAM table and begin to act like a switch again. CAM table overflow only floods traffic within the local VLAN so the intruder will see only traffic within the local VLAN to which he or she is connected.

In May of 1999 the tool macof was released. It was written in approximately 100 lines of PERL code and was later ported to C language code and incorporated into the dsniff package. This tool floods a switch with packets containing randomly generated source and destination MAC and IP addresses. When the CAM table of the switch fills up with these addresses, the switch begins to forward all frames it receives to every port. In Figure the attacker is sending out multiple packets with various source MAC addresses. Over a short period of time the CAM table in the switch fills up until it cannot accept new entries. As long as macof is left running, the CAM table on the switch will remain full. When this happens the switch begins to broadcast all packets which it receives out of every port so that packets sent from server B to server D are also broadcast out of port 3/25 on the switch the attacker is attached to.


Web Links