📑 Table of Contents
"MAC Attack" redirects here. For the American football player, see Mac Jones.

In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go.

Attack method

edit

Switches maintain a MAC table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as an Ethernet hub does. The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for.

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing a different source MAC address, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.[1]

The effect of this attack may vary across implementations; however, the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name.

After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing attack, which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.

MAC flooding can also be used as a rudimentary VLAN hopping attack.[2]

Countermeasures

edit

To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment:

  • With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations.[3] A smaller table of secure MAC addresses is maintained in addition to (and as a subset of) the conventional MAC address table.
  • Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered.[4]
  • Implementations of IEEE 802.1X suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.
  • Security features to prevent ARP spoofing or IP address spoofing in some cases may also perform additional MAC address filtering on unicast packets; however, this is an implementation-dependent side-effect.
  • Additional security measures are sometimes applied along with the above to prevent normal unicast flooding for unknown MAC addresses.[5] This feature usually relies on the "port security" feature to retain all secure MAC addresses for at least as long as they remain in the ARP table of layer 3 devices. Hence, the aging time of learned secure MAC addresses is separately adjustable. This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.

References

edit
  1. ^ "VLAN Security White Paper: Cisco Catalyst 6500 Series Switches". Cisco Systems. 2002. Archived from the original on 8 June 2011. Retrieved 31 January 2015.
  2. ^ Steve A. Rouiller, Virtual LAN Security: weaknesses and countermeasures, SANS Institute, retrieved 2017-11-17
  3. ^ Business Series Smart Gigabit Ethernet Switch User Guide, Linksys, 2007, p. 22
  4. ^ "guide/Mac Auth". Freeradius.org. 2015. Retrieved 31 January 2015.
  5. ^ "Blocking Unknown Unicast Flooding". PacketLife.net. 4 June 2010. Retrieved 31 January 2015.

📚 Artikel Terkait di Wikipedia

Nintendo Switch 2

Nintendo Switch 2 is a video game console developed by Nintendo and released in most regions on June 5, 2025. Like the original Nintendo Switch, it can

Glock switch

A Glock switch is a small device that can be attached to the rear of the slide of a Glock handgun, changing the semi-automatic pistol into a machine pistol

Unicast flood

a unicast flood occurs when a switch receives a unicast frame and the switch does not know that the addressee is on any particular switch port. Since

Network load balancing

cluster to be flooded to all ports of the switch as unknown unicast frames: even to hosts that are not joining in the cluster. To keep flooding minimal you

Switching loop

multicasts are forwarded by switches out every port, the switch or switches will repeatedly rebroadcast the broadcast messages flooding the network. Since the

Flood search routing

network, flood search routing is non-deterministic routing in which a dialed number received at a switch is transmitted to all switches, i.e., flooded, in

The Flame in the Flood

Nintendo Switch version was released on October 12, 2017. Publishing rights were moved to CD Projekt after its acquisition of The Molasses Flood. The player

Reanimal

explore the game's setting—a mysterious island beset by war, monsters, and flooding—escape, outsmart, and fight enemies, and solve various environmental puzzles