Understanding Layer 2 switch port security

Safe Switch


You may have noticed that this default MAC address learning process does not contain an authentication step. Any host connected to the switch can interrupt the MAC address table records by sending data frames, and the switch cannot verify the authenticity of the frame's source MAC address. In the following example, I introduce three common attacks that work by sending a data frame with a fake source MAC address. You can easily find tools on the Internet to launch this kind of attack. These tools are also available through Linux penetration testing distros, such as Kali Linux [1].

MAC Flooding Attack

Space is limited in the switch's MAC address table. The maximum number of records ranges from several thousand for entry-level models to hundreds of thousands for advance models. What happens if the MAC address table is full? Depending on the coding of the switch's operating system, three possible results are:

1. Old records are removed immediately to free up space for learning new MAC addresses.

2. The switch stops learning new MAC addresses until old records are flushed.

3. The system halts.

Hackers may hope to see results 1 and 2, because the resumption of broadcasts gives the intruder a chance to capture sensitive information.

You can check the maximum capacity of a switch's MAC address table by using the switch's operating system. For Cisco IOS, use the following command to check the MAC address table's available space:

SW#show mac address-table count
Mac Entries for Vlan 1:
Dynamic Address Count  : 3
Static  Address Count  : 0
Total Mac Addresses    : 3
Total Mac Address Space Available: 6021

In a MAC flooding attack, an attacker attempts to generate a large number of data frames with different MAC addresses (generated randomly) and send them to the switch (Figure 3). The switch learns every single frame's source address and stores the addresses in the MAC address table until it is full.

Figure 3: An attacker sends a frame with a fake MAC address to SW1 by broadcast.

You can use macof [2], which is preinstalled on Kali Linux, to implement the MAC flooding attack. Simply open the command console and type

macof -e [interface]

to start the attack. Listing 1 generates random MAC addresses and sends them out to the interface.

Listing 1

Generating random MAC addresses

root@kali:~# macof -e eth1
e3:8b:88:3:b4:cd d8:25:98:35:61:87 > S 1905213613:1905213613(0) win 512
91:33:3b:3:a0:f5 d6:11:53:f:5e:c8 > S 428779274:428779274(0) win 512
c4:27:40:74:3d:11 b9:a5:d3:1d:e:bf > S 1206065071:1206065071(0) win 512
9a:d7:d9:6a:fd:ee 9b:e8:7:15:e4:1d > S 352131538:352131538(0) win 512
42:33:77:69:9b:65 ef:3b:4c:19:e2:bd > S 1039619585:1039619585(0) win 512
a:60:b2:3d:fc:af d3:7c:5b:36:4a:61 > S 727135709:727135709(0) win 512
18:75:26:4c:a8:23 10:81:2a:12:e1:be > S 1071867223:1071867223(0) win 512
98:15:eb:38:f3:c1 c8:d7:c1:61:be:a3 > S 1759104040:1759104040(0) win 512
dc:6d:43:15:be:52 99:19:41:22:4e:36 > S 481173385:481173385(0) win 512
42:d5:ac:47:75:fd 2:3c:f5:3a:29:b0 > S 1888990933:1888990933(0) win 512
4d:ed:18:48:f0:f5 4b:ba:a5:66:ef:ee > S 397896255:397896255(0) win 512
<--Output Omitted-->

If you check the MAC address table count after a few seconds, you will find that all available spaces are filled by the fake records. As I mentioned before, MAC records will be deleted after 300 seconds. Consequently, the attacker may keep the program running by sending the fake MAC addresses to the network to ensure that all available switch spaces are filled up with the fake records:

SW#show mac address-table count
Mac Entries for Vlan 1:
Dynamic Address Count  : 6024
Static  Address Count  : 0
Total Mac Addresses    : 6024
Total Mac Address Space Available: 0

After all correct records are timed out and the table is full of fake records, the attacker can capture the network broadcast traffic with sniffing software using a tool such as Wireshark.

MAC Spoofing

In MAC spoofing, the attacker sends a frame with the same source address as another device on the network instead of sending a random MAC address. The attacker sends out the frames with spoofed source MAC addresses frequently, say more than 10 frames per second, to ensure always winning the MAC address table completion. All the frames that should be sent to the victim will then go to the attacker, because the network switches have the wrong records in their MAC address tables (Figure 4).

Figure 4: The MAC address table is overwritten by the fake record so that all traffic with destination address ABCD.EF00.0001 will go to the attacker's port.

The Ettercap [3] utility, also available on Kali Linux, is often used to launch a MAC spoofing attack. First, you launch Ettercap (Figure 5). Next, select Sniff | Unified Sniffing to identify the attack interface (Figure 6), followed by Hosts | Scan to scan for hosts. Then, choose Hosts | Hosts to see all the hosts attached to the network. Finally, select Mitm | Port Stealing to start the attack (Figure 7).

Figure 5: Starting up Ettercap.
Figure 6: Selecting the attack interface.
Figure 7: Launching the attack.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Detecting and analyzing man-in-the-middle attacks
    Wireshark and a combination of tools comprehensively analyze your security architecture.
  • Spanning Tree Protocol
    Ethernet is so popular because it simply works and is inexpensive. However, the administration side looks a bit more complicated: For the network to run smoothly, the admin might need to make important decisions about the Spanning Tree protocol.
  • Segmenting networks with VLANs
    Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.
  • Network overlay with VXLAN
    VXLAN addresses the need for overlay networks within virtualized data centers accommodating multiple tenants.
  • Link Encryption with MACsec
    MACsec encrypts defined links with high performance and secures Layer 2 protocols between client and switch or between two switches.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=