An attacker can sometimes convince a switch to send information to places it normally wouldn’t. In this video, you’ll learn how MAC flooding can be used to turn a switch into a hub.
In a computer, the MAC address is the Media Access Control address. This is the hardware address of the ethernet adapter that’s inside of your device. This is a unique address, which means you should be the only one who has this particular MAC address. So this allows us to send information specifically to your device and no one else’s.
The format of a MAC address is 48 bits long or 6 bytes long, and it’s normally displayed as hexadecimal. For example, this is a normal MAC address, 8 Charlie, 2 delta, alpha alpha, 4 bravo, 98, alpha 7. And you can see that we’re separating each one of these bytes with colons, periods, or some other delimiter.
The first three bytes of the MAC address are called the Organizationally Unique Identifier, or OUI. This is effectively the manufacturer of this particular network adapter. The last three bytes of the MAC address are the network interface controller-specific value, or what is effectively the serial number of this particular network interface card. So a manufacturer that creates network interface cards will always use those first three bytes that are specific to the manufacturer, and they’ll change the last three bytes of the MAC address for every adapter card that they manufacture.
This value is stored in the ROM or Read-Only Memory of this network adapter, and we often refer to this as the burned-in address. As we’ve mentioned before in this course, the ethernet switching process uses this MAC address to determine where information should be forwarded. The switch is constantly building a big table of MAC addresses that it sees on the network, and it keeps track of not only what MAC addresses are on the network but what interface on the switch should be used to communicate to that MAC address.
This list is created based on the source MAC addresses that are inbound to the switch. And this is only a temporary table. Switches often cache this information for a limited amount of time. So it may learn of a MAC address and store that information in the table, but about five minutes later, it is discarding that MAC address and would have to relearn that address to know where that device happens to be.
These MAC addresses might also be used by other tasks on our network. For example, Spanning Tree Protocol, or STP, uses these MAC addresses to maintain the uptime of our network and avoid any loops on the switch network.
Let’s look at more detail about this learning process and how this MAC address table is created. As we mentioned earlier, the switch is going to examine all inbound traffic and look at the source MAC address associated with the frame. If that source MAC address is unknown to the switch, it will add that source MAC address to a table and keep track of all of the inbound source MAC addresses that it happens to see.
Let’s take a scenario where Sam is going to send information on this network. Sam’s MAC address is 1000:1111:1111. So that will be the source MAC address that’s sent over this network. In this particular case, the destination MAC address is 1000:5555:5555, which also happens to be the MAC address of the SGC server.
Sam starts by sending this information to the switch. This switch’s MAC address table is currently empty, so this frame coming through with this source MAC from Sam’s machine will be something the switch has not seen before, and so it needs to add that to the table. So it will take note of the source MAC address, and it will add that source MAC address to the table. It will also make a note of the interface that this frame was received on. In this case, the interface is F0/1, and that is also added to the MAC address table.
Now that this information is in the MAC address table, any inbound frames to this switch that have a destination of 1000:1111:1111 will be sent out switch interface F0/1. So if the SGC server is now going to send a frame to Sam’s workstation, it will have a source MAC address of 1000:5555:5555, because that is the MAC address of the SGC server, and it’s sending it to the destination MAC address of Sam’s workstation.
Since this source MAC address is also not known by the switch, it will make a note of that MAC address and then send that frame over to Sam’s workstation. So now we have a complete MAC address table, and any inbound traffic that has a destination to either of these MAC addresses will be forwarded out the appropriate output interface.
Most switches have a number of different devices connected to them. And once you have these devices plugged in and information starts to flow, the MAC address table will become populated. You can see this one has five different devices connected to this switch. All five MAC addresses have been learned by this switch, and we have all the output interfaces defined for each of those MAC addresses.
Let’s see what happens when information is sent from Sam’s workstation. We have a frame that has a destination MAC address of 1000:5555:5555. That’s forwarded to our switch. The switch is then going to refer to the MAC address table to see if that destination MAC address is in the table. And in this case, it certainly is. And you can see that the output interface for that MAC address is F0/5. The switch now knows to send that frame out that particular interface, where it will be received by the device with that destination. MAC address.
Notice that the conversation was direct between Sam and the SGC server. Although there are three other devices that are connected to this switch, that frame was not sent to any of those devices, because the switch is able to direct that traffic based on the destination MAC address.
One challenge with these MAC address tables is that they are only so big. There’s only a certain amount of space allocated to store MAC addresses on any particular switch, and you should be able to look at the specifications for your switch to see how many MAC addresses could be stored in that table at any particular time.
So if an attacker would like to take advantage of MAC flooding, they will send many, many frames to this switch, all with different source MAC addresses. This is going to quickly fill up that very limited space that’s available for our MAC address table. This is going to take advantage of a process that is normal to the switch where if a destination MAC address is not found in the MAC address table, that particular frame is forwarded to every interface on that particular switch.
This means if we fill up the MAC address table with random MAC addresses and we send any traffic into that switch, all of that traffic is going to be automatically forwarded to every other interface on that switch. We now no longer have this directed conversation from one interface to another interface on the switch. We’ve now effectively turned this switch into a hub where every inbound frame into the switch is automatically forwarded to every other interface that happens to be on that switch.
This is the normal process for any switch so that you can always guarantee that traffic will always make its way to its destination. The attacker’s taking advantage of that normal process so that they can now capture all traffic that is being sent to this switch, even if that traffic was not originally destined for the attacker’s workstation.
Fortunately, many modern switches have port security configurations where they can limit how much flooding can occur from any particular interface on that switch. So although you could still possibly flood the network by filling up the MAC address table, with the port security settings enabled, it now becomes much more difficult to fill up that table to begin with.