When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. By limiting the number of permitted MAC addresses on a port to one, port security can be used to control the unauthorized expansion of the network.Īfter configuring or enabling port security, the MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses. Port security allows an administrator to statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. It is the simplest and most effective method to prevent MAC flooding attack and CAM table overflow.
In order to mitigate CAM table overflow attacks, network administrators must implement port security.
How to prevent mac address flooding how to#
Prevent MAC Flooding Attack in Switches – Technig How to Prevent Mac Flooding Attack? When the CAM table of a switch is full, it starts broadcasting out all ports including those connecting to other Layer 2 switches. A tool such as Macof can flood a switch with up to 8,000 bogus frames per second creating a CAM table overflow attack in a matter of a few seconds.Īnother reason why these attack tools are dangerous is that they not only affect the local switch, they can also affect other connected Layer 2 switches. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its CAM table. What makes these tools so dangerous is that an attacker can create a CAM table overflow attack in a matter of seconds.
Macof tools flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). NOTE: Traffic is flooded only within the local VLAN, so the intruder sees only traffic within the local VLAN to which the intruder is connected.
As a result, the attacker can capture all of the frames sent from one host to another. When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports without referencing the CAM table. If enough entries are entered into the CAM table before older entries expire, the table fills up to the point that no new entries can be accepted. CAM table overflow attacks (also called MAC address overflow attacks) take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full. How does CAM Table attack work?Īll CAM tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. However, if the destination MAC address is not in the CAM table, the switch will flood the frame out of all ports except for the frame’s port of ingress. If the destination MAC address is in the CAM table, the switch forwards the frame accordingly. Switches then compare the destination MAC unicast addresses of incoming frames to the entries in the CAM table to make port forwarding decisions. A CAM table is the same thing as a MAC address table. The CAM table binds and stores MAC addresses and associated VLAN parameters that are connected to the physical switch ports. A Layer 2 LAN switch builds a table of MAC addresses that are stored in its Content Addressable Memory (CAM). Before you can prevent MAC flooding attack on layer 2 devices, you must know enough about basic switch operation and MAC table attack.
0 kommentar(er)
