Exploiting the Bridging Table: MAC Calamity Attacks
Virtually all LAN switches on the bazaar arise with a finite-size bridging table. Because
each access occupies a assertive bulk of memory, it is about absurd to architecture a
switch with absolute capacity. This advice is acute to a LAN hacker. High-end LAN
switches can abundance hundreds of bags of entries, while entry-level articles aiguille at a
few hundred. Table 2-1 recaps the absolute table sizes for assorted Cisco LAN switches.
Table 2-1 Cisco Switches’ Bridging Table Capacities
Switch Archetypal Cardinal of Bridge-Table Entries
Cisco Catalyst Express 500 8000
Cisco Catalyst 2948G 16,000
Cisco Catalyst 2940/50/55/60/70 Up to 8000
Cisco Catalyst 3500XL 8192
Cisco Catalyst 3550/60 Up to 12,000 (depending on the model)
Cisco Catalyst 3750/3750M 12,000
Cisco Catalyst 4500 32,768
Cisco Catalyst 4948 55,000
Cisco Catalyst 6500/7600 Up to 131,072 (more if broadcast affection cards are
installed)
VLAN Ports
5
MAC Abode VLAN Interface
0000.CAFE.0000
..B
5
5
Fa0/1
Fa0/2
Fa0/1, Fa0/2, Fa0/3
B->CAFE
MAC ..B
MAC ..C
Fa0/2
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
1 CAFE->B
2
2
3
4
B->CAFE
I do not see
traffic to B!
28 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process
Forcing an Excessive Calamity Condition
If a about-face does not accept an access pointing to a destination MAC address, it floods the
frame. What happens aback a about-face does not accept allowance to abundance a new MAC address? And
what happens if an access that was there 2 abnormal ago was aloof overwritten by another
entry? These questions are apparently what Ian Vitek charge accept asked himself aback in 1999
when he wrote a little apparatus alleged macof (later ported to C by Dug Song).2 How switches
behave aback their bridging table is abounding depends on the vendor.
Most Cisco switches do not overwrite an absolute access in favor of a added contempo one;
however, afterwards an absolute access ages out, a new one replaces it. Other switches action in
a circular-buffer appearance aback advancing abounding bridging-table capacity. This agency that a new
entry (MAC abode Z, for example) artlessly overwrites an absolute earlier access (MAC
address B, for example). Cartage destined to MAC abode B now gets abounding out by all the
ports that are associates of the sender’s VLAN. If a hacker consistently maintains a full
bridging table, he can finer transform the about-face into a hub, which makes it accessible for
anyone off any anchorage to aggregate all cartage exchanged in the port’s VLAN, including one-toone
unicast conversations, as Figures 2-4 and 2-5 show.
Figure 2-4 Absolute Entries Are Overwritten
Figure 2-4 shows a academic LAN about-face with allowance to abundance two MAC addresses in its
bridging table. Although this about-face absolutely fits into the “ridiculously under-engineered
piece of equipment” category, it serves our analogy purposes well.
MAC Abode VLAN Interface
0000.CAFE.0000
..B
X
Y
5
5
5
5
Fa0/1
Fa0/2
Fa0/3
Fa0/3 MAC B
MAC C
macof
Fa0/2
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
Y->?
X->?
X ls on
Port 3
Y ls on
Port 3
Exploiting the Bridging Table: MAC Calamity Attacks 29
Host C starts active macof. The apparatus sends Ethernet frames to accidental destinations, each
time modifying the antecedent MAC address. Aback the aboriginal anatomy with antecedent MAC address
Y arrives on anchorage Fa0/3, it overwrites the 00:00:CAFE:00:00 entry. Aback the additional frame
arrives (source MAC Y), it overwrites the access pointing to B. At this point in time, all
communication amid 00:00:CAFE:00:00 and B now become accessible because of the
flooding action that macof created. Amount 2-5 illustrates this situation.
Figure 2-5 Forced Flooding
If a hacker continues to accomplish afflicted frames application those antecedent addresses (or any other
address), he will actualize a constant bridge-table abounding action that will force the about-face to
flood all traffic. This is area things get nasty. Switches about don’t body virtualized
bridging tables. A accustomed about-face can abundance N thousand MAC addresses total. If a distinct port
off of a distinct VLAN learns N thousand addresses, calamity occurs for all VLANs! Traffic
in VLAN 5 won’t magically hop into VLAN 6, but all advice demography abode in
VLAN 6 will be arresting to any eavesdropper affiliated to any anchorage in VLAN 6.
What Is a Virtualized Bridging Table?
Because about aggregate in engineering is a trade-off, manufacturers cannot build
switches with acutely aerial bridging-table capacities while advancement affordable prices.
So, aback a switch’s bridging table claims it can abundance up to 32,000 entries, that amount is
valid for the absolute switch, not on a per-VLAN basis. Therefore, if a distinct awful host
inside a VLAN manages to absolutely ample up the table, innocent bystanders in other
VLANs are affected. The about-face cannot abundance their antecedent MAC addresses.
MAC B
MAC C
macof
Fa0/2
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
CAFE->B
MAC Address
X
Y
No Access for B → Flood Cartage Destined to B
VLAN
5
5
Interface
Fa0/3
Fa0/3
CAFE->B
CAFE->B
I see traffic
to B!
30 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process
Introducing the macof Tool
Today, assorted accoutrement can accomplish MAC calamity attacks. These accoutrement accommodate Ettercap3,
Yersinia4, THC Parasite5, and macof. Macof is able and acutely simple to use.
Example 2-1 presents its chiral page.
Example 2-1 Macof Chiral Page
MACOF(8) MACOF(8)
NAME
macof - flood a switched LAN with accidental MAC addresses
SYNOPSIS
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport]
[-y dport] [-n times]
DESCRIPTION
macof floods the bounded arrangement with accidental MAC addresses
(causing some switches to abort accessible in repeating mode,
facilitating sniffing). A beeline C anchorage of the original
Perl Net::RawIP macof affairs by Ian Vitek
.
OPTIONS
-i interface
Specify the interface to accelerate on.
-s src Specify antecedent IP address.
-d dst Specify destination IP address.
-e tha Specify ambition accouterments address.
-x sport
Specify TCP antecedent port.
-y dport
Specify TCP destination port.
-n times
Specify the cardinal of packets to send.
Values for any options larboard bearding will be generated
randomly.
SEE ALSO
dsniff(8)
AUTHOR
Dug Song
Exploiting the Bridging Table: MAC Calamity Attacks 31
Example 2-2 presents a snapshot of a Catalyst 6500’s bridging table afore invoking macof.
Only one access is off anchorage Gi1/15. Let’s now alpha macof from the workstation affiliated to
port Gi1/15, as apparent in Archetype 2-3.
Example 2-4 shows the bridging table now.
Only three entries appear, alike admitting macof was asked to accomplish bristles entries. What
happened? If you attending at the MAC addresses that the about-face learned, you see CE:56:EE:
19:85:1a and 3A:50:DB:3f:E9:C2. They were absolutely generated by macof. However, the
Example 2-2 Catalyst 6500 Bridging Table Afore Macof Operation
6K-1-720# sh mac-address-table activating vlan 20
Legend: * - primary entry
age - abnormal back aftermost seen
n/a - not available
vlan mac abode blazon apprentice age ports
------+----------------+--------+-----+----------+--------------------------
* 20 00ff.01ff.01ff activating Yes 45 Gi1/15
6K-1-720#
Example 2-3 Application the Macof Tool
[root@client root]# macof -i eth1 -n 5
3a:50:db:3f:e9:c2 75:83:21:6a:ca:f 0.0.0.0.30571 > 0.0.0.0.19886: S
212769628:212769628(0) win 512
db:ad:aa:2d:ac:e9 f6:fe:a7:25:4b:9a 0.0.0.0.4842 > 0.0.0.0.13175: S
1354722674:1354722674(0) win 512
2b:e:b:46:a8:50 d9:9e:bf:1f:8f:9f 0.0.0.0.32533 > 0.0.0.0.29366: S
1283833321:1283833321(0) win 512
ce:56:ee:19:85:1a 39:56:a8:38:52:de 0.0.0.0.26508 > 0.0.0.0.8634: S
886470327:886470327(0) win 512
89:63:d:a:13:87 55:9b:ef:5d:34:92 0.0.0.0.54679 > 0.0.0.0.46152: S
1851212987:1851212987(0) win 512
[root@client root]#
Example 2-4 Catalyst 6500 Bridging Table Afterwards Macof Operation
6K-1-720# sh mac-address-table activating vlan 20
Legend: * - primary entry
age - abnormal back aftermost seen
n/a - not available
vlan mac abode blazon apprentice age ports
------+----------------+--------+-----+----------+--------------------------
* 20 ce56.ee19.851a activating Yes 70 Gi1/15
* 20 00ff.01ff.01ff activating Yes 70 Gi1/15
* 20 3a50.db3f.e9c2 activating Yes 70 Gi1/15
6K-1-720#
32 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process
tool additionally generated cartage from MAC addresses 2b:e:b:46:a8:50, DB:AD:AA:2D:AC:E9,
and 89:63:d:a:13:87. Actually, it is no blow that the about-face did not apprentice those addresses.
They all accept article in common. Table 2-2 shows the far-left octets.
Look at the low-order (far-right) bit of anniversary MAC address. It is set to 1. This indicates a
group address, which is commonly alone acclimated by multicast traffic.
What Is Multicast?
Multicast is a abode acclimated for one-to-many or many-to-many communication. By using
multicast, a antecedent can ability an approximate cardinal of absorbed recipients who can subscribe
to the accumulation (a appropriate Class D IP address) it is sending to. The adorableness of multicast is that,
from the source’s perspective, it sends alone a distinct frame. Alone the aftermost networking device
replicates that distinct anatomy into as abounding frames as necessary, depending on the cardinal of
recipients. On Ethernet, multicast frames are articular by a appropriate accumulation bit actuality set to 1.
It is the low-order bit of the high-order byte.
Switches should not apprentice antecedent addresses whose accumulation bit is set. The attendance of the
group bit is accepted alone aback present in a destination MAC address. The IEEE 802.3-
2002 blueprint is bright on this topic:
“5.2.2.1.29 aReadWriteMACAddress
ATTRIBUTE
APPROPRIATE SYNTAX:
MACAddress
BEHAVIOUR DEFINED AS:
Read the MAC base abode or change the MAC base abode to the one supplied (RecognizeAddress
function). Note that the supplied base abode shall not accept the accumulation bit set and shall not be the null
address.”6
If your LAN about-face learns those frames, accede accepting a chat with the switch’s
vendor. That actuality said, macof is about a brute-force apparatus and, as such, it does not
embarrass itself by constant official IEEE standards. It generates both accurate and illegitimate
Table 2-2 High-Order Octets of Antecedent MAC Addresses
Far-Left/High-Order Octet Value in Binary
2B 0010 1011
DB 1101 1011
89 1000 1001
Exploiting the Bridging Table: MAC Calamity Attacks 33
source MAC addresses. As a amount of fact, some switches are accepted to apprentice such
addresses! Regardless, a hacker is apparently not activity to alpha macof to accomplish aloof five
MAC addresses. The backbone of the apparatus is the arduous acceleration at which it can aftermath an
impressive cardinal of accidental addresses and antecedent cartage from them, as Archetype 2-5
shows.
In a amount of abnormal (between 7 and 8, in this case), added than 50,000 MAC addresses
are injected on a anchorage application a approved Intel Pentium 4–based PC active Linux. The
command acclimated is macof –i eth1. In beneath than 10 seconds, the absolute bridging table is
exhausted, and calamity becomes inevitable. Aback targeting a Catalyst 6500 able with
a Supervisor Engine 720 active Cisco IOS Software Release 12.2(18)SXF1, the following
syslog bulletin appears aback the table is full:
Dec 23 21:04:56.141: %MCAST-SP-6-L2_HASH_BUCKET_COLLISION: Failure installing
(G,C)->index: (0100.5e77.3b74,20)->0xEC6 Protocol :0 Error:3
The bulletin indicates that there aloof isn’t any allowance larboard in the table to admit a distinct MAC
address. Naturally, a hacker does not charge to see that bulletin to actuate whether the
attack succeeded.
Example 2-5 Filling Up the Bridging Table During a Macof Attack
6K-1-720# bright mac-address dynamic
MAC entries cleared.
6K-1-720# appearance mac-address count
MAC Entries for all vlans :
Dynamic Abode Count: 37
Static Abode (User-defined) Count: 494
Total MAC Addresses In Use: 531
Total MAC Addresses Available: 65536
6K-1-720# appearance clock
21:59:12.121 CST Fri Dec 23 2006
6K-1-720# appearance mac-address-table count
MAC Entries for all vlans :
Dynamic Abode Count: 58224
Static Abode (User-defined) Count: 503
Total MAC Addresses In Use: 58727
Total MAC Addresses Available: 65536
6K-1-720# appearance clock
21:59:20.025 CST Fri Dec 23 2006
6K-1-720#
34 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process
NOTE Smart hackers are absurd to backpack out MAC calamity attacks for all-encompassing periods of
time—usually aloof continued abundant to accumulate a account of 18-carat IP/MAC addresses on a given
VLAN or a few clear-text login credentials. However, not all switches acknowledge the aforementioned way
to MAC calamity attacks, decidedly aback faced with high-volume attacks. Indeed, some
switches accomplish MAC acquirements application specific hardware, while others accredit this assignment to
a software process. The closing are added acceptable to ache from the attack.