64
MAC flooding and spoofing attacks combine two deadly elements: They are extremely
simple to carry out and yet so potent. They can help an attacker collect valuable
information, such as usernames and passwords, or simply impact the proper operation of
the targeted LAN. Although they date back several years, these attacks are still popular,
thanks to the widespread availability of simple tools that help perpetrate them. Fortunately,
countermeasures are almost as simple as the attacks and are widely available, such as
• Port security
• MAC address activity notification
• Unknown unicast flooding protection
Port security can impose a limit on the number of frames dynamically learned off a LAN
port. MAC notification gives clear and almost instantaneous visibility into potentially
suspicious activity on the network triggered by MAC addresses moving from one port to
another. Unknown unicast flooding protection allows users to set granular control over the
Example 2-14 Configuring and Monitoring Unicast Flood Protection
Router(config)# mac-address-table unicast-flood limit 3 vlan 100 filter 5
Router # show mac-address-table unicast-flood
Unicast Flood Protection status: enabled
Configuration:
vlan Kfps action timeout
------+----------+-----------------+----------
100 3 filter 5
Mac filters:
No. vlan source mac addr. installed on time left (mm:ss)
-----+------+-----------------+------------------------------+------------------
Summary 41
amount of unicast floods a given host off a port can generate. All three features are useful
against bridge-table DoS attacks.
Always consult your equipment’s documentation to stay up to date on the latest
developments regarding port security and to verify how your platform handles a specific
port-security feature.
References
1 International standard ISO/IEC 7498-1:1994; http://www.iso.ch.
2 http://www.monkey.org/~dugsong/dsniff/.
3 http://www.ettercap.sourceforge.net/.
4 http://yersinia.sourceforge.net/.
5 http://www.the.org/releases.php?q=parasite.
6 IEEE Std 802.3-2002, Section One.
Cisco Catalyst 6500 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps708/.
Cisco Catalyst 4500 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps4324/index.html.
Cisco Catalyst 3750 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps5023/index.html.
IEEE 802.3 standard. http://standards.ieee.org/getieee802/802.3.html.
IANA Ethertype numbers. http://www.iana.org/assignments/ethernet-numbers.
Song, Dug. Macof (part of the dsniff package) tool. http://www.monkey.org/~dugsong/
dsniff/faq.html.