Switch Attack

the_hutch

Okay, so having a brainfart here. There is an attack that helps you monitor traffic on a switch by overloading the flash memory of a switch with port and MAC address associations. The switch then reacts to the memory overload by beginning to broadcast all traffic. I can't remember what this is called. Anybody???

kriscamaro68

Broadcast storm? Thats what is coming to my mind.

busines4u

I think you are referencing a MAC Flooding attack. This will consume all of the CAM table entries and thus will turn the switch into a hub sending all incoming frames out of all ports.

paul78

MAC Flooding. Its a type of ARP cache poison attack.

JDMurray

MAC flooding is not cache poisoning. Sending unsolicited ARP RESPONSE messages with bad information is an ARP cache poisoning attack or ARP Spoofing attack. MAC flooding is overwhelming a switch with many frames with different MAC addresses to get the switch to exceed its CAM table buffer space and fail-over to broadcast mode to keep network traffic flowing. A switch's response to MAC flooding is therefore "not a bug, but a feature."

dmoore44

I get the basic premise of the attack, but I have no practical experience with relation to a MAC flood... So, my question is this: at what point does the switch recover? Does an attacker need to continue flooding a switch with MACs in order to keep the switch in broadcast mode? Does a switch auto-recover from a MAC flood, or does a network admin need to pull the plug and reboot it?

chaser7783

Went to a talk @ Defcon one year where they talked about VLAN layer 2 attacks and MAC floodding.
Here is the link to the pdf about the presentation. Starts on pg.10 MAC Flooding/CAM table overflow attack:

https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-figueroa-williams.pdf

MickQ

I would assume it would recover when the MACs are timed out of the CAM. That is assuming that none have since been learned by the switch.

the_hutch

Yes, MAC flood is what I was referring to. Thank you all. I just got ahold of a Cisco Catalyst 4006 36-port switch and wanted to try this soon.

JDMurray

It will be interesting to see how many ports need to be flooded before it changes to broadcast. For max fault tolerance, I would assume only one.

dmoore44

chaser7783 wrote: »

Went to a talk @ Defcon one year where they talked about VLAN layer 2 attacks and MAC floodding.
Here is the link to the pdf about the presentation. Starts on pg.10 MAC Flooding/CAM table overflow attack:

https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-figueroa-williams.pdf

Cool - thanks for the heads up. I'll give the document a look a little later tonight.

docrice

I've heard referred to it as CAM table overflowing. Port-security on Cisco switches (and whatever it's called on other vendors of managed switches) should help mitigate this. I'd say try it on a dumb switch for easier results.

quinnyfly

the_hutch wrote: »

Okay, so having a brainfart here. There is an attack that helps you monitor traffic on a switch by overloading the flash memory of a switch with port and MAC address associations. The switch then reacts to the memory overload by beginning to broadcast all traffic. I can't remember what this is called. Anybody???

I'd say MAC flooding, especially if the switches is in promiscuous mode? Sounds like a kind of buffer overflow causing a DoS. Just a stab in the dark straight out of bed and still scratchin my head!

the_hutch

Not really for DOS. More of an active sniffing attack

JDMurray

Yep, nothing is getting blocked or denied, but the increased bandwidth usage from the frame flooding will lag the network quite a bit. And yes, it makes sniffing a lot easier too.

bryguy

docrice wrote: »

I've heard referred to it as CAM table overflowing. Port-security on Cisco switches (and whatever it's called on other vendors of managed switches) should help mitigate this. I'd say try it on a dumb switch for easier results.

Think you can also use "switchport block unicast" command which will drop the frame once the CAM table is full, as opposed to flooding it out all ports. Not sure if, with the latest IOS if this is on by default, so you may want to turn it off if you're intentially trying to perform a MAC flooding attack, in order to sniff the traffic.

chaser7783

could you not also use the mac-address-table learning command to limit the amount of mac address learned per port to mitigate a CAM table overflow?

chaser7783

Also found this white paper MAC Address Overflow Attack and Mitigation Techniques* [Cisco Catalyst 6500 Series Switches] - Cisco Systems
They talk about MAC address monitoring in the summary,

MAC address monitoring is a feature present on Cisco Catalyst 6500 Series switches. This feature helps mitigate MAC address flooding and other CAM overflow attacks by limiting the total number of MAC addresses learned by the switch on per-port or per-VLAN basis. With MAC Address Monitoring, a maximum threshold for the total number of MAC addresses can be configured and enforced on a per-port and/or per-VLAN basis. MAC address monitoring in Cisco IOS Software allows the definition of a single upper (maximum) threshold. In addition, the number of MAC addresses learned can only be monitored on a per-port or per-VLAN basis, and not a per-port-per-VLAN. By default, MAC address monitoring is disabled in Cisco IOS Software. However, the maximum threshold for all ports and VLANs is configured to 500 MAC address entries, and when the threshold is exceeded the system is set to generate a system message along with a syslog trap. These default values take effect only when MAC address monitoring is enabled. The system can be configured to notify or disable the port or VLAN every time the number of learned MAC addresses exceeds the predefined threshold. In our test, we used the "mac-address-table limit" command on the access layer port interface to configure the MAC address monitoring feature.

JDMurray

That feature allows the switch to drop traffic, rather than failing over to "hub mode," as a configuration choice made by the customer.