In the diagram in Figure
, the machine
that belongs to the attacker is on VLAN 10. The attacker floods MAC addresses
to port 3/25 on the switch. When the content addressable memory (CAM) table
threshold is reached, the switch operates as a hub and simply floods traffic
out all ports. This flooding also occurs on adjacent switches configured with
VLAN 10, however flooding is limited to only the source VLAN and does not
affect other VLANs.
MAC Flooding
MAC flooding is the attempt to exploit the fixed
hardware limitations of the CAM table of a switch. The Catalyst switch CAM
table stores the source MAC address and the associated port of each device
connected to the switch. The CAM table on the Catalyst 6000 can contain 128,000
entries. These 128,000 entries are organized as 8 pages that can store
approximately 16,000 entries. A 17 bit hash algorithm is used to place each
entry in the CAM table. If the hash results in the same value, each entry is
stored on separate pages. Once these eight locations are full, the traffic is
flooded out all ports on the same VLAN on which the source traffic is being
received.
CAM tables are limited in size. If enough entries are entered
into the CAM table before other entries are expired, the CAM table fills up to
the point that no new entries can be accepted. Typically a network intruder
will flood the switch with a large number of invalid-source MAC addresses until
the CAM table fills up. When that occurs, the switch will flood all ports with
incoming traffic because it cannot find the port number for a particular MAC
address in the CAM table. The switch, in essence, acts like a hub. If the
intruder does not maintain the flood of invalid-source MAC addresses, the
switch will eventually time out older MAC address entries from the CAM table
and begin to act like a switch again. CAM table overflow only floods traffic
within the local VLAN so the intruder will see only traffic within the local
VLAN to which he or she is connected.
In May of 1999 the tool macof was
released. It was written in approximately 100 lines of PERL code and was later
ported to C language code and incorporated into the dsniff package. This tool
floods a switch with packets containing randomly generated source and
destination MAC and IP addresses. When the CAM table of the switch fills up
with these addresses, the switch begins to forward all frames it receives to
every port. In Figure
the attacker is
sending out multiple packets with various source MAC addresses. Over a short
period of time the CAM table in the switch fills up until it cannot accept new
entries. As long as macof is left running, the CAM table on the switch will
remain full. When this happens the switch begins to broadcast all packets which
it receives out of every port so that packets sent from server B to server D
are also broadcast out of port 3/25 on the switch the attacker is attached
to.