Saturday, November 26, 2011

MAC flooding with macof

macof can flood a switch with random MAC addresses. This is called MAC flooding. This fills in the switch's CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.

The tool can be started from the command line. Below we can see its options, which are not that many.

root@bt:~# macof -h
Version: 2.4
Usage: macof [-s src] [-d dst] [-e tha] [-x sport] [-y dport]
[-i interface] [-n times]

Example (Generating 10 packets on the eth1 interface):

root@bt:~# macof -i eth1 -n 10


We can protect our network against this kind of attack with port security, which limits the number of MAC addresses on an interface. This looks somehow like this on Cisco switches:

switch(config)# interface fastethernet 1/1
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address [mac_addres]

There are still a few other options for this command, but the configuration above, will tell the switch to allow only a single MAC address: the one we set.

No comments: