Wireless Security Topic _ Attack--mac flood attack

Source: Internet
Author: User
Tags ftp login switches ftp client

On an explanation of the wireless security topic _ attack-interference communication, not on the home to stay for a long time to be taken down, it seems after not only to explain the attack combat, but also to carry out technical principles and defense methods of the explanation. This article is about the local area network Mac flooding attack, the main purpose of this attack is to steal the local area network communication data, such as FTP account and password, the following actual combat is to take this as an example. Next, according to the principle, scene, attack combat, defense methods of the level of steps to explain.

I. The principle of Mac flood attack

Mac flooding attack mainly utilizes the Mac learning and aging mechanism of LAN switch.

  the workflow for the 1.1 switch is as follows :  

The PC1 in the LAN sends the data frame to the PC2, and when the switch is passed, the switch looks for the destination MAC address in the data frame in the internal MAC address table, sends the data frame to the appropriate port if found, and if not, the switch sends the data frame to all ports except the incoming port ( The so-called broadcast, but not the broadcast frame, the destination MAC address of the broadcast frame is all F.

As a result, the key to the switching function of the switch is the internal MAC address table, and how is the internal MAC address formed? What's the nature of it? The next step is to explain the Mac learning and aging mechanism of the switch.

  1.2 Mac learning mechanism for switches

1. First we look at the structure of the internal MAC table, the internal MAC tables are size, generally about 8k, one but the Mac is full, the other MAC address will not add in:


The internal MAC table binds the host's MAC address and the port number attached to the switch so that it can be forwarded based on the MAC address found.

2. In the beginning, there is no host connection, the Mac table inside the switch is blank, this time will be learning.

Let's imagine a scene: PC1 this time to send data to PC2, when the data frame through the switch, the switch will be in the data frame of the source MAC address and enter the port number recorded in the Mac table; Since there is no PC2 MAC address and port bindings in the first Mac table, the switch will forward this data frame to the entire network, which is called the broadcast, also called Flood.

    1. After the switch has all the data frames in the network forwarding, each host's protocol stack than the destination MAC address of the data frame is the same as its own, if the same answer, if not the same, discard ( Note: Those MAC address is not the same host card will receive the data frame, just ignore, The data frame can be seen when the packet is captured by the network card .
    2. At this point, the PC2 receives the data frame and responds. When the answer data frame passes the switch, the Exchange opportunity learns the source MAC address and port number of the answering data frame into the Mac table, which is the MAC address and port number binding of the PC2.
    3. Based on the destination MAC address of the reply data frame, the switch starts querying the Mac table, discovers that the PC1 record exists, and sends the reply data frame to PC1 directly according to the port number of the binding. This is the entire MAC Address Table learning process.

1.3 mac aging Mechanism for switches

If the switch has not communicated with a host for a long time, the switch will remove the MAC address of the host from the MAC Address table, and then re-learn the address at the next communication.

1.4 Possibility of flooding attacks

    • Normal communication is unless there is no Mac and port for the target host in the first Mac table, so the data is broadcast, as long as the Mac table has the corresponding binding relationship, then the communication between the two hosts is forwarded directly by the switch based on Mac and Port bindings. The other hosts are not getting the data between the two hosts.
    • The goal of flooding is to acquire communication data between hosts. To achieve this, it is necessary to force the switch to broadcast data , which is to implement Mac and port bindings that do not have a target host in the Mac table . Flood attack is achieved by forging a large number of unknown MAC address communication , the switch to continue to learn, and soon the Mac table will be full, so that the normal host MAC address after aging, it can no longer be added to the MAC Address table, The resulting data becomes broadcast.

Two. Attack scenarios

FTP server: I used FileZilla server on a single Windows host to build an FTP server with an IP address of How to build FTP server please refer to, http://jingyan.baidu.com/article/6079ad0e67acf828ff86db3f.html. The FTP account is Qiye and the password is qiye123789.

PC1: Another host in the LAN, the Win7 operating system, as the FTP client, the IP address is

PC2: My personal laptop as a thunderbolt, Kali system with an IP address of

Three. Combat attacks

The tool used to implement the Mac flooding attack is the macof of the Kali system, which is used to send a large number of spoofed MAC address packets.

In the first step, I opened the macof on the PC2 and opened multiple windows, trying to fill the switch's Mac table as fast as possible.


At the same time, open a window and use tcpdump to grab the packet and crawl the FTP packet with Port 21.


    In the second step, I use PC1 to log on to the FTP server. You can either log in in the browser or use the FTP client that comes with Win7.

The third step is to see if the FTP login information in the PC2 is captured by the packet broadcast.

    As can be seen, I have successfully crawled to PC1 access to the FTP server login account and password. I use Wireshake, also grabbed a bit, may look more intuitive.

Four. Defensive means

 limit the number of Macs that the switch accesses to the port. For example, setting the port on the switch can learn 8 MAC addresses, stop learning over 8 MAC addresses, and discard later Macs. This feature is available in general advanced switches.

Today's share is here, the next one to continue the analysis. If you think you can, remember to recommend yo.

you are welcome to support me. Public number:

This article belongs to original works, welcome everybody to reprint to share. respect the original, reprint please specify from: Seven Night story http://www.cnblogs.com/qiyeboy/

Wireless Security Topic _ Attack--mac flood attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.