What is MAC Flooding? How to prevent it?

What is MAC Flooding?

MAC flooding is a network attack that targets a network switch’s MAC address table (also known as a CAM table). The MAC address table in a switch keeps track of which MAC addresses are associated with each physical port, enabling the switch to forward frames only to the appropriate port rather than broadcasting them to all ports.

In a MAC flooding attack, an attacker sends a large number of packets with fake or random source MAC addresses into the network. This causes the MAC address table of the switch to fill up quickly. When the table reaches its capacity, the switch can no longer map MAC addresses to specific ports, and it enters a fail-open mode where it starts flooding incoming traffic out of all ports, similar to how a hub operates.

This behavior allows the attacker to:

• Intercept traffic: Because the switch is now broadcasting traffic to all ports, the attacker can capture data that was originally meant for other hosts.
• Perform man-in-the-middle (MITM) attacks: By capturing broadcasted traffic, attackers can attempt to manipulate or analyze the data, potentially accessing sensitive information like login credentials or personal data.

How to Prevent MAC Flooding?

Preventing MAC flooding attacks involves implementing several network security measures and configurations on switches. Here are the most effective methods:

1. Use Port Security

Port security is a feature that can be configured on managed switches to limit the number of MAC addresses that can be learned on a port. It is one of the most effective ways to prevent MAC flooding attacks.

• Set a MAC Address Limit: You can configure the switch to allow only a specific number of MAC addresses per port. For example, if a port is connected to a workstation, you might set the limit to one or two MAC addresses.
• Sticky MAC Addressing: This feature allows the switch to automatically learn and remember the MAC addresses connected to a specific port, storing them in the switch configuration. This can prevent unauthorized devices from being used on that port.
• Actions for Violations: Configure actions such as shutting down the port, restricting traffic, or generating an alert if the MAC address limit is exceeded.

Example Configuration (Cisco Switch):

This configuration sets up port security on a Cisco switch, allowing a maximum of two MAC addresses and using the sticky learning feature.

2. Enable VLAN Segmentation

Using VLANs (Virtual Local Area Networks) helps isolate different parts of your network, minimizing the scope of a MAC flooding attack. If the attack is directed at a specific VLAN, it will not impact devices on other VLANs.

• Separate Sensitive Devices: For example, keep servers, management interfaces, and critical devices on their own VLAN.
• Use Private VLANs: Private VLANs provide even finer granularity by isolating traffic within a VLAN.

By segmenting the network, you limit the broadcast domain and thus reduce the number of devices that could be affected by a MAC flooding attack.

3. Implement DHCP Snooping

DHCP snooping is a security feature that helps prevent certain types of attacks by monitoring DHCP traffic on trusted and untrusted ports. Although it’s primarily used to protect against DHCP spoofing attacks, it also helps to control the assignment of IP addresses on a network.

• Trusted Ports: Designate ports connected to DHCP servers as trusted.
• Untrusted Ports: Designate ports connected to clients as untrusted. This way, if an attacker tries to introduce a rogue DHCP server or perform MAC flooding, it can be detected and blocked.

By enabling DHCP snooping in conjunction with port security, you can further secure your network from various attacks.

4. Use Managed Switches

Managed switches offer advanced security features that can protect against MAC flooding attacks. These switches typically include options for port security, VLANs, and monitoring.

• Access Control Lists (ACLs): Configure ACLs to restrict traffic based on MAC or IP addresses, providing additional layers of control.
• Monitoring and Logging: Managed switches often have better monitoring and logging capabilities, allowing you to detect unusual activity that could indicate a MAC flooding attempt.

5. Enable Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection works alongside DHCP snooping to prevent ARP spoofing attacks, but it also helps in detecting anomalous MAC address activity. By validating ARP packets against the DHCP snooping database, DAI can detect and mitigate the effects of a MAC flooding attack.

6. Regularly Monitor Network Traffic

Continuous monitoring of network traffic can help identify potential MAC flooding attacks before they cause significant damage. Tools like Wireshark, SNMP-based monitoring, and intrusion detection systems (IDS) can alert network administrators to unusual levels of broadcast traffic or a rapid increase in new MAC addresses.

• Set Up Alerts: Configure your network monitoring tools to send alerts if the MAC table size reaches a certain threshold or if there is an unusual amount of broadcast traffic.

7. Upgrade to Switches with Larger MAC Tables

If possible, use switches with larger MAC address tables, as this will make it more difficult for an attacker to fill up the table quickly. However, this is not a standalone solution, as determined attackers can still flood larger tables, but it can buy you more time to detect and respond to an attack.

Conclusion

MAC flooding is a serious network security threat that can compromise the confidentiality and integrity of data on a network. By implementing port security, VLAN segmentation, DHCP snooping, and other security measures, you can effectively mitigate the risks associated with MAC flooding. The key is to combine multiple security strategies and regularly monitor network activity to ensure early detection and prevention of potential attacks.