MAC Calamity Alternative: MAC Bluffing Attacks
All MAC calamity accoutrement force a about-face to “fail open” to after accomplish careful MAC
spoofing attacks. A MAC bluffing advance consists of breeding a anatomy from a malicious
host borrowing a accepted antecedent MAC abode already in use on the VLAN. This causes
the about-face to advanced frames out the incorrect port, as Figure 2-6 shows.
Figure 2-6 Bluffing a MAC Address
Although they’re acutely accessible to backpack out (most Ethernet adapters admittance their MAC
address to be modified), MAC bluffing attacks arise with a cogent drawback: Unlike
MAC calamity attacks, they accept the abeyant to account an actual abnegation of service
(DoS) to the spoofed host. In Figure 2-6, as anon as the actor on host C masquerades as
host B, host B absolutely stops accepting traffic. That is because a accustomed antecedent MAC
address cannot arise accompanying on altered ports central a accepted VLAN. The
switch updates its table based on the best afresh apparent frame. Cartage to host B can resume
if—and alone if—the 18-carat host B sources a frame, thereby afresh afterlight the switch’s
bridging table.
MAC B
MAC C
macof
Fa0/2
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
B->?
VLAN
5
5
MAC Address
B
B
Interface
Fa0/2
Fa0/3
I will see
traffic
to B!
1
2
3
MAC Calamity Alternative: MAC Bluffing Attacks 35
Not Aloof Theory
Consider Example 2-6. A about-face (6K-4-S2) has aloof been MAC attacked. Its bridging table
is full. The about-face has a baffled interface in VLAN 20. Pings to 10.20.20.1 (a alien router)
are successful. The Abode Resolution Protocol (ARP) table reveals that the MAC address
associated to 10.20.20.1 is 0000.0020.0000. However, no access for that abode exists in the
bridging table! This agency that all cartage destined to 0000.0020.0000 is abounding to all ports
that are associates of VLAN 20.
If the host who started the MAC calamity advance now runs a packet analyzer, the contents
of a chat amid 6K-4K-S2 (10.20.20.2) and a alien host (10.20.20.1) can be
intercepted as apparent in Example 2-7.
Example 2-6 Revealing the Effects of a MAC Bluffing Attack
6K-4-S2# appearance mac-address-table count
MAC Entries for all vlans :
Dynamic Abode Count: 131028
Static Abode (User-defined) Count: 27
Total MAC Addresses In Use: 131055
Total MAC Addresses Available: 131072
6K-4-S2# ping 10.20.20.1
Type escape arrangement to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, abeyance is 2 seconds:
!!!!!
Success amount is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
6K-4-S2# appearance ip arp 10.20.20.1
Protocol Abode Age (min) Hardware Addr Blazon Interface
Internet 10.20.20.1 4 0000.0020.0000 ARPA Vlan20
6K-4-S2# appearance mac-add abode 0000.0020.0000
Legend: * - primary entry
vlan mac abode blazon apprentice ports
------+----------------+--------+-----+--------------------------
No entries present.
6K-4-S2#
Example 2-7 Intercepting a Alien Conversation
[root@linux-p4-linksys root]# ifconfig eth1 | grep inet
inet addr:10.21.21.100 Bcast:10.21.21.255 Mask:255.255.255.0
inet6 addr: fe80::200:caff:fefe:0/64 Scope:Link
[root@linux-p4-linksys root]# tcpdump -i eth1 tcp anchorage 23 -vne
tcpdump: alert on eth1
21:17:03.056077 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >
10.20.20.1.telnet: S [tcp sum ok] 3116159553:3116159553(0) win 4128
[tos 0xc0] (ttl 255, id 0, len 44)
continues
21:17:03.057055 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >
10.20.20.1.telnet: . [tcp sum ok] ack 321387993 win 4128 [tos 0xc0] (ttl 255, id
1, len 40)
21:17:03.057232 0:0:65:4:0:0 0:0:0:20:0:0 ip 72: 10.20.20.2.48643 >
10.20.20.1.telnet: P [tcp sum ok] 0:18(18) ack 1 win 4128 [telnet DO SUPPRESS GO
AHEAD, WILL TERMINAL TYPE, WILL SEND LOCATION, WILL TSPEED, WILL NAWS, WILL LFLOW]
[tos 0xc0] (ttl 255, id 2, len 58)
[etc.]
Even admitting the host has annihilation to do with 10.20.20.x, it can see all cartage between
10.20.20.1 and .2 acknowledgment to the MAC calamity attack.