36

I read an article today describing how a penetration tester was able to demonstrate creating a fake bank account with a $14 million balance. However, one paragraph describing the attack stood out:

Then he "flooded" switches -- small boxes that direct data traffic -- to overwhelm the bank's internal network with data. That kind of attack turns the switch into a "hub" that broadcasts data out indiscriminately.

I'm not familiar with the effect that is described. Is it really possible to force a switch to broadcast traffic to all of its ports by sending massive amounts of traffic? What exactly is going on in this situation?

Lucas
  • 485

3 Answers3

62

This is called MAC flooding. A "MAC address" is an Ethernet hardware address. A switch maintains a CAM table that maps MAC addresses to ports.

If a switch has to send a packet to a MAC address not in its CAM table, it floods it to all ports just like a hub does. So if you flood a switch with a larger number of MAC addresses, you will force the entries of legitimate MAC addresses out of the CAM table and their traffic will be flooded to all ports.

Nathan C
  • 15,223
David Schwartz
  • 31,893
8

This is called MAC flooding and makes use of the fact that the CAM tables of switches are of limited length. If they overflow, a switch turns into a hub and sends out every packet to every port, which quickly can grind a network to a halt.

Edited to correct wrong terminology.

Sven
  • 100,763
0

As has been explained above, the switch's MAC table is 'poisoned' with fake mac addresses. This is easy to do with the macof program from the dsniff suite of tools. Warning: only try this for educational purposes in your own network, otherwise you will get into deep legal trouble!

http://www.monkey.org/~dugsong/dsniff/

Aaron Copley
  • 12,954
Floyd
  • 103