MAC spoofing attacks involve the use of a known MAC address of another host
to attempt to make the target switch forward frames destined for the targeted
host to the network attacker. By sending a single frame with the source MAC
address of the targeted host, the network attacker overwrites the CAM table
entry so that the switch forwards packets destined for the targeted host to the
network attacker. The targeted host will not receive any traffic until it sends
traffic. When the targeted host sends out traffic, the CAM table entry is
rewritten once more so that it associates the MAC address back to the original
port.
Figure
shows how MAC
spoofing works. In the beginning the switch has learned that Host A is on port
1, Host B is on port 2, and Host C is on port 3. Host B sends out a packet
identifying itself with the IP address of Host B but with MAC address of Host
A. This traffic causes the switch to move the location of Host A in its CAM
table from port 1 to port 2. Traffic from Host C destined to Host A is now
visible to Host B.