A common Layer 2/switch attack as of this writing is MAC Flooding, resulting
in CAM table overflow that causes flooding of regular data frames out all
switch ports. This can be launched for the malicious purpose of collecting a
broad sample of traffic or as a DoS attack.
CAM tables are limited in
size and therefore the number of entries they can contain at any one time. A
network intruder can maliciously flood a switch with a large number of frames
from a range of invalid source MAC addresses. If enough new entries are made
before old entries expire, new, valid entries will not be accepted. Then, when
traffic arrives at the switch for a legitimate device that is located on one of
the switch ports that was not able to create a CAM table entry, the switch must
flood frames to that address out all ports. This has two adverse effects:
- The switch traffic forwarding is inefficient and voluminous.
- An intruding device can be connected to any switch port and capture traffic
not normally seen on that port.
If the attack is launched prior to the beginning of the day, and the
CAM table would be full as the majority of devices are powered on. Then frames
from those legitimate devices are unable to create CAM table entries as they
power on. If this represents a large number of network devices, the number of
MAC addresses for which traffic will be flooded will be high and any switch
port will carry flooded frames from a large number of devices.
If the
initial flood of invalid CAM table entries is a one-time event, over time the
switch will age out older, invalid CAM table entries, allowing new legitimate
devices to create an entry. Traffic flooding will eventually cease, and may
have never have been detected, as the intruder captured a significant amount of
data from the network.
As the figure shows, MAC address and subsequent
traffic flooding occurs in the following progression.
– 
Suggested Mitigation for MAC Flood Attacks
Configure Port
Security to define the number of MAC addresses that are allowed on a given
port. Port security can also specify what MAC address is allowed on a given
port.