Fact-checked by Grok 2 weeks ago

MAC flooding

MAC flooding is a Layer 2 in computer networking that targets Ethernet switches by flooding their () tables with a large number of fabricated MAC addresses, causing the switch to enter a fail-open mode where it broadcasts all traffic to every port on the network, thereby degrading performance and enabling unauthorized traffic sniffing. This technique, developed in the early , exploits the limited capacity of a switch's CAM table, which stores mappings between MAC addresses and physical ports to enable efficient frame forwarding (typically holding 4,000 to 64,000 entries in modern hardware as of 2025). Attackers commonly use tools such as macof from the dsniff package to generate thousands of dummy Ethernet frames per second, rapidly filling the table and forcing the switch to revert to hub-like behavior.

Fundamentals of Ethernet Switching

MAC Address Learning

A is a 48-bit unique hardware identifier assigned to a for use in communications within a . These addresses, standardized by the committee, consist of 24 bits allocated by the IEEE to manufacturers () and 24 bits assigned by the manufacturer to ensure global uniqueness. The process of MAC address learning was introduced with Ethernet bridges in the 1980s to address the limitations of hubs, which broadcast all traffic indiscriminately, leading to inefficiencies in larger networks. Developed by engineers at (DEC), bridges improved upon this by dynamically building mappings of to ports, enabling selective frame forwarding and reducing unnecessary traffic. In modern Ethernet switches, which evolved from these bridges, the learning process operates as follows: upon receiving an on a port, the switch examines the source in the frame header and checks its forwarding database. If the source MAC is not already associated with that port, the switch adds a new entry to the database, typically including the , the ingress port number, and, in -enabled networks, the associated identifier. Entries are stored in () tables for rapid lookup. To maintain accuracy amid network changes, unused entries age out after a default period of 300 seconds, after which they are removed unless refreshed by subsequent frames from the same source. This learning mechanism plays a crucial role in unicast frame forwarding by allowing the switch to consult the MAC-port mappings and direct frames solely to the destination port, thereby minimizing broadcast traffic and enhancing network efficiency compared to hub-based flooding. Without such learning, switches would revert to broadcasting unknown unicast frames to all ports, increasing collision domains and bandwidth waste.

Content Addressable Memory (CAM) Tables

() is a specialized component in Ethernet switches designed for ultra-fast lookups by simultaneously comparing an input value—typically a —against all stored entries in parallel. This associative search mechanism returns the matching entry's associated data, such as the output port, in a single clock cycle, enabling low-latency Layer 2 frame forwarding essential for high-throughput networks. By implementing this in dedicated rather than general-purpose processors, achieves speeds unattainable with software-based alternatives, supporting wire-speed switching even at gigabit rates. The structure of a CAM table consists of fixed-size entries, each containing the 48-bit , the corresponding switch port number, VLAN identifier for segmentation support, and an aging timer that records the time since last activity from that address. The aging timer, typically defaulting to 300 seconds, allows automatic removal of stale entries to maintain table efficiency and prevent indefinite accumulation. These tables are populated dynamically through MAC address learning from incoming frame source addresses, with capacities typically ranging from 1,000 to 128,000 entries depending on the switch hardware model. A key limitation of tables is their finite storage capacity, which can lead to when the number of unique addresses exceeds available entries. In such cases, the switch may discard new learning attempts or revert to a fail-open operational mode, effectively treating the device as a for unknown destinations by flooding frames across ports. This hardware constraint underscores the need for careful network design to avoid resource exhaustion. Compared to software-based forwarding tables in routers, which use sequential searches or functions often requiring multiple memory accesses and CPU cycles, excels in Layer 2 environments by providing hardware-accelerated, exact-match lookups optimized for Ethernet's flat addressing model. This distinction highlights 's role in bridging the performance gap between legacy hubs and modern switched networks, prioritizing speed over the flexibility of tables.

The Attack

Mechanism of MAC Flooding

MAC flooding is a that exploits the dynamic learning mechanism of Ethernet switches to overflow their () tables. An attacker must first gain physical or logical access to a switch port within the target () or virtual (), allowing them to inject traffic directly into the shared . This prerequisite ensures the attacker's frames are processed by the switch alongside legitimate traffic, without requiring elevated privileges or . The core technique involves the rapid transmission of Ethernet frames containing spoofed, randomly generated source addresses, all originating from the attacker's single connected . The switch, operating under the bridging protocol, learns these source addresses by associating them with the ingress and storing them in the table for efficient forwarding. As frames arrive, the switch hashes the 48-bit addresses into fixed-size table buckets—typically holding up to 8 entries each—and updates entries dynamically, replacing aged ones (usually after 300 seconds of inactivity). By generating frames at a rate exceeding the table's aging and capacity, the attacker fills the CAM table with bogus entries faster than legitimate addresses can be learned or maintained. Success depends on overwhelming the CAM table's finite capacity, often ranging from 8,000 to 131,000 entries depending on the switch model. The attacker typically needs to generate thousands of unique MAC addresses per second—such as approximately 2,500 per second to fill a mid-range table in under 70 seconds—to achieve overflow. Once the table is full, the switch can no longer learn new addresses and, per IEEE 802.1D specifications, treats frames with unknown destination MAC addresses as broadcasts, flooding them out all ports in the VLAN rather than unicasting to the correct port. Variants of the attack include single-port flooding, where all spoofed frames emanate from one connection, and multi-port flooding if the attacker controls multiple switch ports, accelerating the overflow by distributing the traffic load. Additionally, the technique can be amplified by leveraging principles, such as sending gratuitous ARP replies with forged MAC addresses, which not only populate the table but also trigger additional network responses that indirectly increase the flood volume. This exploitation relies solely on the standard, unauthenticated frame-learning process defined in , making it applicable to any compliant Ethernet switch without proprietary modifications.

Tools and Techniques

One of the primary tools for executing MAC flooding attacks is macof, part of the dsniff suite developed by Dug Song. This utility generates and transmits a high volume of Ethernet frames containing random source MAC addresses, typically at rates up to 8,000 frames per second, to overwhelm the switch's (CAM) table. As a result, vulnerable switches may enter a fail-open mode, broadcasting all traffic and enabling passive sniffing. Alternatives to macof include packet crafting libraries such as , a Python-based tool for generating custom network packets, and Ettercap, which supports man-in-the-middle techniques that can incorporate manipulation. allows users to forge Ethernet frames with spoofed MAC addresses, offering flexibility for tailored flooding scenarios beyond simple randomization. Ettercap, while primarily focused on ARP-based attacks, can be extended for custom frame injection in Layer 2 environments. To implement a MAC flooding attack using Scapy, an attacker requires root privileges on a Linux system to access raw sockets, which enable direct packet transmission without kernel intervention. The process involves importing the library, generating random MAC addresses, and sending Ethernet frames in a loop until the CAM table overflows. For example, the following pseudocode illustrates basic frame generation: 
from scapy.all import *
import random

def random_mac():
    return ':'.join(['%02x' % random.randint(0, 255) for _ in range(6)])

while True:
    pkt = Ether(src=random_mac(), dst="ff:ff:ff:ff:ff:ff") / [IP](/page/IP)() / ICMP()
    sendp(pkt, iface="eth0", inter=0)
This script floods the network interface (e.g., eth0) with broadcast frames using randomized source MACs, simulating the overload mechanism. Advanced techniques enhance the attack's scope and stealth. Attackers often combine MAC flooding with poisoning—using tools like arpspoof from the dsniff suite—to create targeted floods that redirect specific traffic flows after the switch fails open, allowing selective interception. Additionally, deploying multiple virtual machines () or network interface cards (NICs) amplifies the flood rate; for instance, running macof across several VMs on a hypervisor like can distribute the packet generation, overwhelming virtual or physical switches more rapidly. The macof tool was developed by Dug Song in the early 2000s as part of the dsniff suite for network auditing purposes. It remains effective against unpatched legacy switches in 2025, particularly in environments lacking modern features.

Consequences

Network Behavior After Flooding

When a switch's (CAM) table overflows due to a MAC flooding attack, it typically enters a fail-open mode, where it floods all incoming frames out of every port in the affected , mimicking the behavior of a rather than a switch. This hub-like operation expands the effective , as frames are replicated unnecessarily across all ports, leading to increased network traffic volume. The performance degradation is significant, with substantial waste occurring from the replication of to unintended ports, reducing overall throughput and increasing for legitimate communications. If loops are present in the , this flooding can exacerbate issues by triggering broadcast storms, where continuously circulate and amplify, potentially overwhelming and causing complete denial of service. The disruption is generally temporary, lasting until the forged MAC entries age out of the CAM table; the default aging time on many switches, such as models, is 300 seconds (5 minutes), after which the table begins to recover as legitimate addresses are relearned. However, repeated or sustained s can prevent recovery, resulting in persistent performance issues until the attack ceases. The effects are confined to the specific targeted by the flood, as switches maintain separate tables per VLAN, leaving other VLANs, routed , and higher-layer protocols unaffected unless the is combined with inter-VLAN exploits.

Security Vulnerabilities

When a switch's table is overwhelmed during a , it enters a fail-open mode, broadcasting all incoming to every on the network segment, effectively turning the switch into a . This condition exposes all to passive sniffing by an attacker connected to any , allowing the of sensitive data such as credentials, session tokens, and transmitted over the local area network (LAN). The primary risk lies in this unauthorized access to communications, which were intended to be isolated by the switch's learning mechanism. The exposure created by MAC flooding significantly escalates potential threats, serving as an entry point for more sophisticated attacks. For instance, intercepted packets can facilitate man-in-the-middle (MITM) interceptions, where the attacker relays and alters traffic between victims, or , enabling the takeover of active user sessions. Further exploitation may involve using captured data to deploy , such as through to gain elevated access on compromised hosts. Unencrypted protocols are particularly susceptible in this scenario, as their plaintext payloads become fully readable during the broadcast phase. Protocols like HTTP for and FTP for file transfers transmit data without encryption, making them prime targets for capturing usernames, passwords, and file contents. Even encrypted protocols, such as or , reveal valuable metadata—including source and destination IP addresses, MAC addresses, and traffic patterns—that can aid in profiling network users or planning subsequent attacks. In real-world contexts, MAC flooding remains a notable vulnerability in legacy or misconfigured enterprise networks, where older switches without modern protections are prevalent.

Mitigation Strategies

Switch Configuration Protections

Switch configuration protections against MAC flooding primarily involve features that directly limit the abuse of the content addressable memory (CAM) table on Ethernet switches, preventing attackers from overwhelming it with fabricated MAC addresses. One key mechanism is port security, which restricts the number of MAC addresses that can be learned on a specific port, thereby mitigating attempts to flood the table. For instance, administrators can configure a maximum of 1 to 5 MAC addresses per port, depending on the expected device connections, such as limiting end-user ports to a single address for stationary devices. This feature can employ sticky learning, where dynamically learned MAC addresses are retained and saved in the switch's configuration, ensuring only authorized addresses are permitted without manual entry. Upon violation, such as detecting excess MAC addresses, the switch can take actions like port shutdown, which error-disables the interface, or restrict mode, which drops offending packets while allowing legitimate traffic to continue and logging the event. In Cisco IOS, this is implemented with commands such as switchport port-security maximum 1 to set the limit and switchport port-security violation restrict to define the response. Another protective measure is through storm control, which throttles excessive incoming frames on a per-port basis to curb rapid flooding that could overflow the table. This feature monitors broadcast, , and traffic, suppressing it when it exceeds a configured , typically set at 10-50% of the port's to balance security and performance. For example, in environments prone to MAC flooding, a of 5% for broadcast traffic prevents the switch from processing overwhelming volumes of frames, thereby avoiding the flooding that occurs post-table saturation. Cisco's implementation uses commands like storm-control broadcast level 5.00, which drops packets exceeding the percentage over a one-second interval while allowing resumption below the . This directly counters the mechanism of MAC flooding by limiting the rate at which bogus frames can be injected. VLAN segmentation further enhances switch-level defenses by isolating traffic into separate broadcast domains, confining any potential flooding to a limited subset of ports and reducing the overall . By assigning devices to appropriate , switches ensure that MAC learning and flooding are scoped per , preventing a flood in one segment from affecting others. Private VLANs (PVLANs) provide additional granularity within a , using primary and secondary associations—such as isolated or ports—to block direct inter-port communication, which minimizes the propagation of flooded among untrusted devices. This isolation is particularly effective in shared environments like data centers, where it limits the impact of MAC table abuse without requiring full network redesign.

Network-Level Defenses

Dynamic Inspection () is a protocol-based security feature that validates () packets on untrusted ports by cross-referencing them against a trusted binding database, typically derived from , to ensure legitimate MAC-IP address mappings. This mechanism blocks forged replies that could exploit the indiscriminate traffic forwarding caused by a successful MAC flooding attack, thereby preventing subsequent and man-in-the-middle intrusions across the local area network (). operates by intercepting requests and replies, dropping invalid packets, and logging violations, which helps maintain network integrity without relying solely on switch-level configurations. DHCP Snooping complements by monitoring DHCP traffic to construct and maintain a binding table of valid client addresses, addresses, ports, and assignments, filtering out unauthorized or messages from untrusted sources. This table serves as the authoritative source for validation, discarding packets with mismatched or spoofed - bindings that might arise from the hub-like behavior induced by MAC flooding. By rate-limiting DHCP offers and acknowledgments on untrusted ports, prevents resource exhaustion attacks that could indirectly facilitate MAC table overflows, ensuring only legitimate assignments propagate through the . Network-based Intrusion Detection Systems (IDS), such as Snort, provide monitoring capabilities to detect MAC flooding by analyzing traffic for anomalous patterns, including high rates of unique source es or excessive frame volumes indicative of table saturation. These systems use rule-based engines to match log entries or packet signatures— for instance, patterns like repeated MAC lock violations on specific interfaces—triggering alerts for rapid MAC address generation that exceeds normal thresholds. In a environment, IDS deployment at strategic points enables real-time , allowing administrators to isolate affected segments before widespread disruption occurs. Recent advancements include machine learning-based IDS, such as BCAST IDS, which detect broadcast-related anomalies indicative of MAC flooding with high accuracy in environments like connected vehicles. Adopting best practices like using VLANs and firewalls limits the blast radius of a MAC flooding attack by confining broadcast domains and enforcing inter-segment controls, reducing the potential for lateral movement or amplified flooding effects. encryption protocols, such as , further mitigate risks by securing , rendering intercepted unreadable even if a flooded switch reverts to and enables .