Le MAC flooding

In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches.

The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go.

Switches maintain a MAC table that maps individual MAC addresses on the network to the physical ports on the switch.

This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as an Ethernet hub does.

The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for.

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing a different source MAC address, by the attacker.

The intention is to consume the limited memory set aside in the switch to store the MAC address table.

The effect of this attack may vary across implementations; however, the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports.

It is from this flooding behavior that the MAC flooding attack gets its name.

After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally.

The attacker may also follow up with an ARP spoofing attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.

MAC flooding can also be used as a rudimentary VLAN hopping attack.

To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment.

With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations.

A smaller table of secure MAC addresses is maintained in addition to (and as a subset to) the conventional MAC address table.

Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered.

Implementations of IEEE 802.1X suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.

Security features to prevent ARP spoofing or IP address spoofing in some cases may also perform additional MAC address filtering on unicast packets; however, this is an implementation-dependent side-effect.

Additional security measures are sometimes applied along with the above to prevent normal unicast flooding for unknown MAC addresses.

This feature usually relies on the "port security" feature to retain all secure MAC addresses for at least as long as they remain in the ARP table of layer 3 devices.

Hence, the aging time of learned secure MAC addresses is separately adjustable.

This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.

MAC Flooding is a cyber attack where the attacker floods a network switch with spoofed MAC addresses, causing the switch to become overwhelmed and potentially leading to a denial of service. MAC flooding is a cyber attack where an attacker floods a switch with spoofed MAC addresses, causing the switch to overflow its Address Resolution Protocol (ARP) table. This results in the switch entering a fail-open mode, treating all incoming traffic as broadcast traffic, allowing the attacker to intercept and modify network packets.

Dans le cadre du réseau informatique, la saturation de la table d'apprentissage (MAC flooding en anglais) est une technique employée pour compromettre la sécurité des commutateurs réseau.

Les commutateurs tiennent à jour une table d'apprentissage qui associe les adresses MAC Ethernet (des équipements connectés) aux différents ports physiques du commutateur.

Cela permet au commutateur d'envoyer les trames Ethernet directement aux machines à qui elles sont destinées.

Pour cela, le commutateur regarde l'adresse destination de la trame, puis il en déduit le port correspondant qui figure dans la table d'apprentissage.

Cette méthode d'envoi ciblé s'oppose à la diffusion (broadcast) aveugle telle qu'elle est pratiquée par les concentrateurs (hubs) et qui consiste à envoyer sur tous les ports, que le destinataire y soit connecté ou pas.

Dans le processus d'apprentissage, le commutateur apprend les adresses MAC associées à chaque port en regardant les adresses sources des trames qui le traversent.

Dans une attaque par saturation, le pirate envoie de nombreuses trames Ethernet au commutateur, chacune d'entre elles ayant une adresse MAC source différente.

Le but est de remplir l'espace nécessairement limité de la mémoire du commutateur consacré à la table d'apprentissage.

L'effet de cette attaque peut varier suivant la marque et le modèle du commutateur.

L'effet désiré par l'attaquant est néanmoins que le commutateur se mette à envoyer les trames sur tous les ports, y compris à cet attaquant, qui pourra ainsi écouter des échanges qui ne le concernent pas.

Il se peut en effet que les adresses légitimes soient expulsées de la table d'apprentissage quand celle-ci sature, ou que de nouvelles adresses légitimes ne puissent plus être apprises.

Les mesures suivantes visent à empêcher les attaques par saturation de la table d'apprentissage.

Les fabricants de commutateurs peuvent fournir une fonctionnalité souvent appelée « sécurité de port » (port security), et qui consiste à limiter le nombre d'adresses qui peuvent être apprises sur les ports connectés aux ordinateurs.

Les adresses MAC apprises par le commutateur peuvent être vérifiées sur un serveur AAA d'authentification centralisée.

ARP spoofing, une autre technique de couche 2 qui permet d'écouter des trames dont on n'est pas le destinataire.

To understand MAC flooding, think of a switch as a traffic controller directing cars (data packets) to their destinations based on license plates (MAC addresses). When an attacker floods the switch with fake packets, it can no longer manage the traffic efficiently. The switch’s MAC address table becomes full, forcing it to broadcast all traffic to every connected device instead of directing it to the intended destination. This state, called “fail-open mode,” lets malicious actors capture sensitive data or even inject harmful content into the network.

MAC flooding is a significant risk in unprotected networks, especially in environments with older or unmanaged switches. By forcing switches into fail-open mode, attackers can easily eavesdrop on private communications or disrupt operations. For businesses, this can lead to breaches of sensitive data or interruptions in critical services. While switches with security features like port security can mitigate MAC flooding, many legacy systems remain vulnerable. Therefore, it’s essential to implement preventive measures and monitor networks for abnormal activity.

Once a switch is in fail-open mode, attackers can use tools like Wireshark to capture and analyze sensitive data flowing across the network. Flooding the switch’s MAC address table can degrade or completely crash the network, disrupting legitimate operations. Many older network switches lack safeguards against MAC flooding, making them an easy target for attackers. Ethical hackers use controlled MAC flooding scenarios to identify weaknesses and reinforce network defenses.

MAC flooding is an effective yet damaging cyberattack technique. By exploiting vulnerabilities in network switches, attackers can disrupt operations, intercept data, or even stage more complex attacks. Recognizing this method and implementing preventive measures like port security and network monitoring is vital to maintaining a secure and functional network.