Exploiting the Bridging Table: MAC Calamity Attacks

Exploiting the Bridging Table: MAC Calamity Attacks

Virtually all LAN switches on the bazaar arise with a finite-size bridging table. Because

each access occupies a assertive bulk of memory, it is about absurd to architecture a

switch with absolute capacity. This advice is acute to a LAN hacker. High-end LAN

switches can abundance hundreds of bags of entries, while entry-level articles aiguille at a

few hundred. Table 2-1 recaps the absolute table sizes for assorted Cisco LAN switches.

Table 2-1 Cisco Switches’ Bridging Table Capacities

Switch Archetypal Cardinal of Bridge-Table Entries

Cisco Catalyst Express 500 8000

Cisco Catalyst 2948G 16,000

Cisco Catalyst 2940/50/55/60/70 Up to 8000

Cisco Catalyst 3500XL 8192

Cisco Catalyst 3550/60 Up to 12,000 (depending on the model)

Cisco Catalyst 3750/3750M 12,000

Cisco Catalyst 4500 32,768

Cisco Catalyst 4948 55,000

Cisco Catalyst 6500/7600 Up to 131,072 (more if broadcast affection cards are

installed)

VLAN Ports

5

MAC Abode VLAN Interface

0000.CAFE.0000

..B

5

5

Fa0/1

Fa0/2

Fa0/1, Fa0/2, Fa0/3

B->CAFE

MAC ..B

MAC ..C

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

1 CAFE->B

2

2

3

4

B->CAFE

I do not see

traffic to B!

28 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

Forcing an Excessive Calamity Condition

If a about-face does not accept an access pointing to a destination MAC address, it floods the

frame. What happens aback a about-face does not accept allowance to abundance a new MAC address? And

what happens if an access that was there 2 abnormal ago was aloof overwritten by another

entry? These questions are apparently what Ian Vitek charge accept asked himself aback in 1999

when he wrote a little apparatus alleged macof (later ported to C by Dug Song).2 How switches

behave aback their bridging table is abounding depends on the vendor.

Most Cisco switches do not overwrite an absolute access in favor of a added contempo one;

however, afterwards an absolute access ages out, a new one replaces it. Other switches action in

a circular-buffer appearance aback advancing abounding bridging-table capacity. This agency that a new

entry (MAC abode Z, for example) artlessly overwrites an absolute earlier access (MAC

address B, for example). Cartage destined to MAC abode B now gets abounding out by all the

ports that are associates of the sender’s VLAN. If a hacker consistently maintains a full

bridging table, he can finer transform the about-face into a hub, which makes it accessible for

anyone off any anchorage to aggregate all cartage exchanged in the port’s VLAN, including one-toone

unicast conversations, as Figures 2-4 and 2-5 show.

Figure 2-4 Absolute Entries Are Overwritten

Figure 2-4 shows a academic LAN about-face with allowance to abundance two MAC addresses in its

bridging table. Although this about-face absolutely fits into the “ridiculously under-engineered

piece of equipment” category, it serves our analogy purposes well.

MAC Abode VLAN Interface

0000.CAFE.0000

..B

X

Y

5

5

5

5

Fa0/1

Fa0/2

Fa0/3

Fa0/3 MAC B

MAC C

macof

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

Y->?

X->?

X ls on

Port 3

Y ls on

Port 3

Exploiting the Bridging Table: MAC Calamity Attacks 29

Host C starts active macof. The apparatus sends Ethernet frames to accidental destinations, each

time modifying the antecedent MAC address. Aback the aboriginal anatomy with antecedent MAC address

Y arrives on anchorage Fa0/3, it overwrites the 00:00:CAFE:00:00 entry. Aback the additional frame

arrives (source MAC Y), it overwrites the access pointing to B. At this point in time, all

communication amid 00:00:CAFE:00:00 and B now become accessible because of the

flooding action that macof created. Amount 2-5 illustrates this situation.

Figure 2-5 Forced Flooding

If a hacker continues to accomplish afflicted frames application those antecedent addresses (or any other

address), he will actualize a constant bridge-table abounding action that will force the about-face to

flood all traffic. This is area things get nasty. Switches about don’t body virtualized

bridging tables. A accustomed about-face can abundance N thousand MAC addresses total. If a distinct port

off of a distinct VLAN learns N thousand addresses, calamity occurs for all VLANs! Traffic

in VLAN 5 won’t magically hop into VLAN 6, but all advice demography abode in

VLAN 6 will be arresting to any eavesdropper affiliated to any anchorage in VLAN 6.

What Is a Virtualized Bridging Table?

Because about aggregate in engineering is a trade-off, manufacturers cannot build

switches with acutely aerial bridging-table capacities while advancement affordable prices.

So, aback a switch’s bridging table claims it can abundance up to 32,000 entries, that amount is

valid for the absolute switch, not on a per-VLAN basis. Therefore, if a distinct awful host

inside a VLAN manages to absolutely ample up the table, innocent bystanders in other

VLANs are affected. The about-face cannot abundance their antecedent MAC addresses.

MAC B

MAC C

macof

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

CAFE->B

MAC Address

X

Y

No Access for B → Flood Cartage Destined to B

VLAN

5

5

Interface

Fa0/3

Fa0/3

CAFE->B

CAFE->B

I see traffic

to B!

30 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

Introducing the macof Tool

Today, assorted accoutrement can accomplish MAC calamity attacks. These accoutrement accommodate Ettercap3,

Yersinia4, THC Parasite5, and macof. Macof is able and acutely simple to use.

Example 2-1 presents its chiral page.

Example 2-1 Macof Chiral Page

MACOF(8) MACOF(8)

NAME

macof - flood a switched LAN with accidental MAC addresses

SYNOPSIS

macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport]

[-y dport] [-n times]

DESCRIPTION

macof floods the bounded arrangement with accidental MAC addresses

(causing some switches to abort accessible in repeating mode,

facilitating sniffing). A beeline C anchorage of the original

Perl Net::RawIP macof affairs by Ian Vitek

.

OPTIONS

-i interface

Specify the interface to accelerate on.

-s src Specify antecedent IP address.

-d dst Specify destination IP address.

-e tha Specify ambition accouterments address.

-x sport

Specify TCP antecedent port.

-y dport

Specify TCP destination port.

-n times

Specify the cardinal of packets to send.

Values for any options larboard bearding will be generated

randomly.

SEE ALSO

dsniff(8)

AUTHOR

Dug Song

Exploiting the Bridging Table: MAC Calamity Attacks 31

Example 2-2 presents a snapshot of a Catalyst 6500’s bridging table afore invoking macof.

Only one access is off anchorage Gi1/15. Let’s now alpha macof from the workstation affiliated to

port Gi1/15, as apparent in Archetype 2-3.

Example 2-4 shows the bridging table now.

Only three entries appear, alike admitting macof was asked to accomplish bristles entries. What

happened? If you attending at the MAC addresses that the about-face learned, you see CE:56:EE:

19:85:1a and 3A:50:DB:3f:E9:C2. They were absolutely generated by macof. However, the

Example 2-2 Catalyst 6500 Bridging Table Afore Macof Operation

6K-1-720# sh mac-address-table activating vlan 20

Legend: * - primary entry

age - abnormal back aftermost seen

n/a - not available

vlan mac abode blazon apprentice age ports

------+----------------+--------+-----+----------+--------------------------

* 20 00ff.01ff.01ff activating Yes 45 Gi1/15

6K-1-720#

Example 2-3 Application the Macof Tool

[root@client root]# macof -i eth1 -n 5

3a:50:db:3f:e9:c2 75:83:21:6a:ca:f 0.0.0.0.30571 > 0.0.0.0.19886: S

212769628:212769628(0) win 512

db:ad:aa:2d:ac:e9 f6:fe:a7:25:4b:9a 0.0.0.0.4842 > 0.0.0.0.13175: S

1354722674:1354722674(0) win 512

2b:e:b:46:a8:50 d9:9e:bf:1f:8f:9f 0.0.0.0.32533 > 0.0.0.0.29366: S

1283833321:1283833321(0) win 512

ce:56:ee:19:85:1a 39:56:a8:38:52:de 0.0.0.0.26508 > 0.0.0.0.8634: S

886470327:886470327(0) win 512

89:63:d:a:13:87 55:9b:ef:5d:34:92 0.0.0.0.54679 > 0.0.0.0.46152: S

1851212987:1851212987(0) win 512

[root@client root]#

Example 2-4 Catalyst 6500 Bridging Table Afterwards Macof Operation

6K-1-720# sh mac-address-table activating vlan 20

Legend: * - primary entry

age - abnormal back aftermost seen

n/a - not available

vlan mac abode blazon apprentice age ports

------+----------------+--------+-----+----------+--------------------------

* 20 ce56.ee19.851a activating Yes 70 Gi1/15

* 20 00ff.01ff.01ff activating Yes 70 Gi1/15

* 20 3a50.db3f.e9c2 activating Yes 70 Gi1/15

6K-1-720#

32 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

tool additionally generated cartage from MAC addresses 2b:e:b:46:a8:50, DB:AD:AA:2D:AC:E9,

and 89:63:d:a:13:87. Actually, it is no blow that the about-face did not apprentice those addresses.

They all accept article in common. Table 2-2 shows the far-left octets.

Look at the low-order (far-right) bit of anniversary MAC address. It is set to 1. This indicates a

group address, which is commonly alone acclimated by multicast traffic.

What Is Multicast?

Multicast is a abode acclimated for one-to-many or many-to-many communication. By using

multicast, a antecedent can ability an approximate cardinal of absorbed recipients who can subscribe

to the accumulation (a appropriate Class D IP address) it is sending to. The adorableness of multicast is that,

from the source’s perspective, it sends alone a distinct frame. Alone the aftermost networking device

replicates that distinct anatomy into as abounding frames as necessary, depending on the cardinal of

recipients. On Ethernet, multicast frames are articular by a appropriate accumulation bit actuality set to 1.

It is the low-order bit of the high-order byte.

Switches should not apprentice antecedent addresses whose accumulation bit is set. The attendance of the

group bit is accepted alone aback present in a destination MAC address. The IEEE 802.3-

2002 blueprint is bright on this topic:

“5.2.2.1.29 aReadWriteMACAddress

ATTRIBUTE

APPROPRIATE SYNTAX:

MACAddress

BEHAVIOUR DEFINED AS:

Read the MAC base abode or change the MAC base abode to the one supplied (RecognizeAddress

function). Note that the supplied base abode shall not accept the accumulation bit set and shall not be the null

address.”6

If your LAN about-face learns those frames, accede accepting a chat with the switch’s

vendor. That actuality said, macof is about a brute-force apparatus and, as such, it does not

embarrass itself by constant official IEEE standards. It generates both accurate and illegitimate

Table 2-2 High-Order Octets of Antecedent MAC Addresses

Far-Left/High-Order Octet Value in Binary

2B 0010 1011

DB 1101 1011

89 1000 1001

Exploiting the Bridging Table: MAC Calamity Attacks 33

source MAC addresses. As a amount of fact, some switches are accepted to apprentice such

addresses! Regardless, a hacker is apparently not activity to alpha macof to accomplish aloof five

MAC addresses. The backbone of the apparatus is the arduous acceleration at which it can aftermath an

impressive cardinal of accidental addresses and antecedent cartage from them, as Archetype 2-5

shows.

In a amount of abnormal (between 7 and 8, in this case), added than 50,000 MAC addresses

are injected on a anchorage application a approved Intel Pentium 4–based PC active Linux. The

command acclimated is macof –i eth1. In beneath than 10 seconds, the absolute bridging table is

exhausted, and calamity becomes inevitable. Aback targeting a Catalyst 6500 able with

a Supervisor Engine 720 active Cisco IOS Software Release 12.2(18)SXF1, the following

syslog bulletin appears aback the table is full:

Dec 23 21:04:56.141: %MCAST-SP-6-L2_HASH_BUCKET_COLLISION: Failure installing

(G,C)->index: (0100.5e77.3b74,20)->0xEC6 Protocol :0 Error:3

The bulletin indicates that there aloof isn’t any allowance larboard in the table to admit a distinct MAC

address. Naturally, a hacker does not charge to see that bulletin to actuate whether the

attack succeeded.

Example 2-5 Filling Up the Bridging Table During a Macof Attack

6K-1-720# bright mac-address dynamic

MAC entries cleared.

6K-1-720# appearance mac-address count

MAC Entries for all vlans :

Dynamic Abode Count: 37

Static Abode (User-defined) Count: 494

Total MAC Addresses In Use: 531

Total MAC Addresses Available: 65536

6K-1-720# appearance clock

21:59:12.121 CST Fri Dec 23 2006

6K-1-720# appearance mac-address-table count

MAC Entries for all vlans :

Dynamic Abode Count: 58224

Static Abode (User-defined) Count: 503

Total MAC Addresses In Use: 58727

Total MAC Addresses Available: 65536

6K-1-720# appearance clock

21:59:20.025 CST Fri Dec 23 2006

6K-1-720#

34 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

NOTE Smart hackers are absurd to backpack out MAC calamity attacks for all-encompassing periods of

time—usually aloof continued abundant to accumulate a account of 18-carat IP/MAC addresses on a given

VLAN or a few clear-text login credentials. However, not all switches acknowledge the aforementioned way

to MAC calamity attacks, decidedly aback faced with high-volume attacks. Indeed, some

switches accomplish MAC acquirements application specific hardware, while others accredit this assignment to

a software process. The closing are added acceptable to ache from the attack.