Switch Security (2)-MAC address flooding

Source: Internet
Author: User
Tags snmp

Mac layer Attack rumor address flood

A common two-layer attack or switch attack is a Mac flood, with an intruder using a large number of invalid source MAC addresses, which can cause the switch's cam table to overflow, because the switch cannot find the port corresponding to the destination MAC address in the MAC address table, causing the switch to periodically flood the data frames to all other ports, The switch will no longer receive new legitimate entries, which will affect the transfer speed of all users in the network.

Attackers can implement Dos attacks via Mac flooding, or they may acquire a network-wide packet.

The capacity of the cam table varies depending on the model of the switch, and the commonly used Catalyst Access Layer switch is 8192, which can be viewed by the following commands.

Switch #Show mac-address-table Count

The aging time of the MAC address is 300 seconds by default and can be viewed with the following command

Switch #Show mac-address-table aging-time

Attack steps

1. The attacker sends multiple packets with different source MAC addresses.

2. In a short period of time, the cam table of the switch is filled up and no new entries can be accepted. The behavior of the attack needs to persist, otherwise the MAC address will be emptied of the cam table after aging.

3. The switch starts to flood all the packets it receives to all the ports. As a result, an attacker could get all the packets in the network on any port.

Defensive measures

Qualify a specific MAC address or limit the number of MAC addresses on the switch port. You can let the switch learn automatically, or you can manually configure the MAC address.

Step 1: Enable port security, note that the dynamic port cannot be set and the port mode needs to be set to access.

Switch#conf T

Enter configuration commands, one per line. End with cntl/z.

Switch (config) #int FA0/1

Switch (config-if) #switchport mode access

Switch (config-if) #Switchport port-security

Step 2: Set the interface to allow access to the maximum number of MAC addresses is 4, the default is 1

Switch (config-if) #switchport port-security maximum 4

Step 3: Specify the specific MAC address that the interface allows access to, which is optional and, if not specified, the switch port automatically learns any 4 MAC addresses and serves only those 4 MAC addresses.

Switch (config-if) #switchport port-security mac-address h.h.h

Step 4: Make the static configuration on the port of the security address aging. When port security is enabled on a switch port, by default, the Port learns that the MAC address does not age out of date.

Switch (config-if) #switchport port-security Aging Static

Step 5: Define the behavior that the interface takes when it attempts to access an disallowed MAC address.

Switch (config-if) #Switchport port-security violation {protect | restrict | shutdown}

Protect protection: Discards data frames from unauthorized addresses, but does not create log messages for this violation.

Restrict limit: Discards data frames from unauthorized addresses, creates log messages, and sends SNMP trap messages.

Shutdown off: This is the default mode. when a switch receives a data frame from an unauthorized address from a port, it is placed in the err-disabled state, logs are logged and an SNMP trap message is sent, which must be manually opened or used by the Administrator errdisable Recovery attribute to re-enable the port.

Check the port security configuration

Administrators can use the command "show port-security" to see which ports have the port security feature enabled.

650) this.width=650; "title=" clip_image002 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M02/53/A7/ Wkiol1rtujlyvts8aad-on6gtey998.jpg "height=" 141 "/>

Join the interface parameter to view the output information for a specific interface:

650) this.width=650; "title=" clip_image004 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M00/53/A7/ Wkiol1rtujkttpbxaaegui3wk9g389.jpg "height=" 207 "/>

You can also use the address variable parameter to view security information for the MAC address table. Note: The time remaining (Remaining age) does not have information, because when port security is enabled on the switch port, by default, the Port learns that the MAC address will not age out of date. This item is displayed only after the interface has been configured with an expiration time, and the relevant command is: Switchport port-security aging 300

650) this.width=650; "title=" clip_image006 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image006 "src=" http://s3.51cto.com/wyfs02/M01/53/A9/ Wkiom1rtubvryhysaaeft7inu9q576.jpg "height="/>

You can use the following command to view the MAC address information for the port's current connection:

650) this.width=650; "title=" clip_image008 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image008 "src=" http://s3.51cto.com/wyfs02/M02/53/A9/ Wkiom1rtubui5b5kaadexmpvazi376.jpg "height=" 143 "/>

Port security with Sticky MAC addresses

The port security we spoke of earlier can mitigate MAC address spoofing attacks by restricting only the number of MAC addresses that are allowed on each switch port. However, this does not specify a specific MAC address.

The most stringent port security implementations are on each port, allowing only the specified MAC address to be accessed. Of course, this will bring a lot of access problems, the administrator's workload also needs to be considered. However, the Sticky MAC address feature is a good solution to this problem.

When using a Sticky MAC address, the switch port automatically learns the MAC address, which can restrict the switch port to accept only a single specific MAC address, without the administrator to collect all legitimate device MAC address, and then manually associated to the switch port, effectively alleviate the administrator workload.

Command:Switch (config-if) #switchport port-security mac-address Sticky

Principle: When using a Sticky MAC address, the switch port automatically learns the MAC address, then remembers the MAC address and stores it as a static entry in the Run configuration (Running configuration), and treats the MAC address as a unique MAC address that the Port security feature allows access to. If the switch is re-enabled, the MAC address needs to be re-learned.


1. The interface converts all dynamic secure MAC addresses into sticky secure MAC addresses, including dynamically learned addresses before sticky learning features are enabled.

2. The rendezvous machine adds the sticky security MAC address to the run configuration and is not added to the boot configuration unless the administrator copies the run configuration to the boot configuration. If you are in a boot configuration, you do not need to re-learn the MAC address after you re-switch.

3. This command cannot be used for voice VLAN interfaces.

, the type entry is changed from the original "securedynamic" to "Securesticky".

650) this.width=650; "title=" clip_image010 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image010 "src=" http://s3.51cto.com/wyfs02/M00/53/A9/wKiom1RtUB-TzlXjAAEI_ Ape3ru620.jpg "height=" 162 "/>

, the MAC address learned by the switch port is stored as a static entry in the Run configuration.

650) this.width=650; "title=" clip_image012 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image012 "src=" http://s3.51cto.com/wyfs02/M01/53/A9/ Wkiom1rtucdz4ucaaafdx6qorb8701.jpg "height=" 248 "/>

Block unicast flooding on the necessary ports

By default, if the switch does not know the destination MAC address of the packet being received, it floods all ports in the VLAN to which the receive port belongs.

However, there are some ports that do not require flooding. If the port is manually configured with a MAC address, or if port security is enabled on the port, a secure MAC address is configured or a sufficient MAC address is learned. Thus reducing unnecessary traffic.

You can limit unicast flooding for unknown destination MAC addresses, or you can limit multicast flooding for unknown destination MAC addresses.


650) this.width=650; "title=" clip_image014 "style=" Border-top:0px;border-right:0px;border-bottom:0px;border-left : 0px; "border=" 0 "alt=" clip_image014 "src=" http://s3.51cto.com/wyfs02/M02/53/A9/wKiom1RtUCCD_ Uwpaacrhik66hg697.jpg "height="/>

This article from "Hai na Hundred Chuan" blog, reproduced please contact the author!

Switch Security (2)-MAC address flooding

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.