CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Friday, September 5, 2025

MAC Flooding Attacks: How They Work and How to Prevent Them

 MAC Flooding

MAC flooding is a type of network attack that targets switches in a local area network (LAN). It aims to overwhelm the switch’s MAC address table, causing it to behave like a hub and broadcast traffic to all ports, which can lead to data interception and network degradation.

Understanding How Switches Work
  • Switches maintain a MAC address table (also called a CAM table) that maps MAC addresses to specific ports.
  • When a frame arrives, the switch checks the destination MAC address and forwards it only to the correct port.
  • This makes switches more secure and efficient than hubs.
What Is MAC Flooding?

MAC flooding involves sending a large number of frames with fake or random source MAC addresses to a switch. The goal is to populate the MAC address table so that the switch can no longer learn new addresses.

When the table is full:
  • The switch enters a fail-open mode.
  • It starts broadcasting all incoming traffic to every port.
  • This allows an attacker connected to any port to capture traffic not meant for them using tools like Wireshark.
Goals of MAC Flooding
1. Data Interception
  • Gain access to sensitive data by forcing the switch to broadcast.
2. Network Disruption
  • Overload the switch, causing performance issues.
3. Preparation for Further Attacks
  • Set the stage for Man-in-the-Middle (MitM) or session hijacking.
How It’s Done
Attackers use tools like:
  • macof (part of the dsniff suite)
  • Yersinia
  • Scapy (Python-based packet crafting)
These tools generate thousands of frames with spoofed MAC addresses rapidly.

Detection and Prevention

Detection
  • Unusual traffic patterns or high volume of MAC address changes.
  • Switch logs show frequent MAC table updates.
  • IDS/IPS systems detect abnormal behavior.
Prevention
1. Port Security
  • Limit the number of MAC addresses per port.
  • Configure sticky MAC addresses.
2. MAC Address Table Aging
  • Adjust aging time to reduce vulnerability window.
3. 802.1X Authentication
  • Authenticate devices before allowing network access.
4. VLAN Segmentation
  • Isolate sensitive devices from general access.
5. Monitoring Tools
  • Use SNMP, NetFlow, or security appliances to monitor switch behavior.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)