Switch Security Issues
Describing a MAC flooding attack

A common Layer 2/switch attack as of this writing is MAC Flooding, resulting in CAM table overflow that causes flooding of regular data frames out all switch ports. This can be launched for the malicious purpose of collecting a broad sample of traffic or as a DoS attack.

CAM tables are limited in size and therefore the number of entries they can contain at any one time. A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses. If enough new entries are made before old entries expire, new, valid entries will not be accepted. Then, when traffic arrives at the switch for a legitimate device that is located on one of the switch ports that was not able to create a CAM table entry, the switch must flood frames to that address out all ports. This has two adverse effects:

  • The switch traffic forwarding is inefficient and voluminous.
  • An intruding device can be connected to any switch port and capture traffic not normally seen on that port.

If the attack is launched prior to the beginning of the day, and the CAM table would be full as the majority of devices are powered on. Then frames from those legitimate devices are unable to create CAM table entries as they power on. If this represents a large number of network devices, the number of MAC addresses for which traffic will be flooded will be high and any switch port will carry flooded frames from a large number of devices.

If the initial flood of invalid CAM table entries is a one-time event, over time the switch will age out older, invalid CAM table entries, allowing new legitimate devices to create an entry. Traffic flooding will eventually cease, and may have never have been detected, as the intruder captured a significant amount of data from the network.

As the figure shows, MAC address and subsequent traffic flooding occurs in the following progression.  – 

Suggested Mitigation for MAC Flood Attacks
Configure Port Security to define the number of MAC addresses that are allowed on a given port. Port security can also specify what MAC address is allowed on a given port.


Web Links