MAC flooding attack: Prevention and protection

MAC flooding takes advantage of media access control (MAC) addresses. Every device has a MAC address, a unique numerical signifier used to identify that device within a network. When data is sent between devices on a network, it passes through a system called a switch. The switch operates as a kind of sorting office, receiving data packets and passing them on to the right device on its network.

A switch also maintains a forwarding table — in essence, an address book, matching MAC addresses to network ports. When it receives a data packet containing a new MAC address, it saves that address to its forwarding table, linking it to a specific network port.

In a MAC flooding attack, the attacker floods a network’s MAC address table with fake data packets with different source MAC addresses. The table automatically adds these new MAC addresses to its table until it fills up and can no longer add new MAC addresses.

At this point, it enters a state called “fail-open mode” in which any new data packets it receives is sent to every port (and device) on its network. In short, the hacker disables the address book function, and the switch, still determined to pass on new data packets, just disseminates them to the whole network. Since the hacker is connected to the network, they can view everyone else’s data.

No single sign can confirm that your network is being targeted with a MAC flooding attack. The best option for detecting MAC flooding attacks is to monitor your network traffic for anomalous behavior.

If, for example, you notice a sudden surge in network traffic or a dramatic reduction in speed, that could be the result of the switch’s MAC address table being overloaded. In the event of a successful flooding attack, you may notice data being sent to your device that should have been passed to another device on your network.

Since detecting a MAC flooding attack is not always easy, you should focus on prevention techniques to make sure it doesn’t happen in the first place.

Use the following tips to lower the chances of a MAC flooding attack being successful on your network.

Port security

Through your network settings, you can set up port security, a set of network controls that mitigate the risks of attacks. The process will vary depending on the router you use, but in most cases you can limit the number of new MAC addresses that can be added to the forwarding table or select a specific number of addresses that are not to be overwritten when the table runs out of space. Port security settings allow the switch to still save legitimate MAC addresses while limiting potentially malicious input.

You can access your router settings by typing your IP address into your browser bar and logging in (if your router login details are not on the back of the router or in the papers that came with it, you can get these details from your ISP).

VLANs

Virtual LANs (VLANs) segment networks into separate silos that operate as individual networks. Even if the switch forwarding table for one VLAN is overwhelmed by a MAC address flooding attack, the other segments of the network will not be affected. Of course, this doesn’t prevent the attack completely, but it does limit its potential damage.

MAC address filtering

MAC address filtering involves configuring a MAC address switch to only accept packets from known MAC addresses. Any packets with a source MAC address that is not on the approved list will not be saved to the forwarding table.

Network monitoring

You can use network monitoring tools to scan for MAC flooding indicators, among other threats. Some monitoring tools can also be configured to automatically respond to a MAC flooding attack by blocking traffic from the device or devices sending the bogus data packets.

Like MAC flooding, ARP poisoning involves hackers on the same LAN as their victims comprising the security of the network.

In this cyberattack, the attacker connects to the same local network as their victim and sends fake address resolution protocol (ARP) messages through the network. These messages link the attacker’s MAC address with the IP address of the victim’s device, and this incorrect data is then saved to the network’s ARP cache. Now all subsequent data sent to the victim is redirected to the attacker’s MAC address — the cache has been poisoned.

To understand the difference between these two attacks, just contrast ARP poisoning with a MAC flooding attack, in which the hacker targets the network switch’s forwarding table, as opposed to the ARP cache.

To prevent MAC flooding, you should focus on two areas of cybersecurity: prevention and monitoring.

• Prevention. To prevent these attacks from occurring in the first place, set up port security for your network switch. This limits the devices that can get new MAC addresses saved to the switch’s MAC address table. You should also make sure to use strong passwords to protect your network since an attacker’s device must connect to the network before it can launch the attack.
• Monitoring. You should consistently monitor your network for signs of an attack. While indicators like poor performance and surges in network traffic could be warning signs, network monitoring software can pick up on subtle risk indicators you might miss with a manual approach. You should also monitor the devices connecting to your network and remove any that should not be there or are behaving strangely.

As a further measure, network administrators should consider using penetration testers, also known as ethical hackers, to probe their network defenses. These professional security experts expose weaknesses so that vulnerabilities can be patched before bad actors find them.

If you think you have been using a network compromised by MAC flooding, follow these steps to try and stay safe:

1. Stop using the compromised network. The hacker may still have access to the network, so stop using it immediately to prevent further data exposure.
2. Change your passwords. While using the compromised network, you may have exposed sensitive password data. As a precaution, change the passwords of any accounts you accessed while on the network.
3. Contact network administrators. Contact the administrator or provider who maintains the network. The sooner they are made aware of the problem, the sooner they can take steps to secure the network, remove corrupted data from the MAC address table, and keep other users safe.