Preventing MAC Calamity and Bluffing Attacks
Fortunately, there are several means to baffle MAC calamity and bluffing attacks. In this
section, you will apprentice about audition MAC activity, anchorage security, and alien unicast
flooding protection.
Detecting MAC Activity
To alpha with, abounding switches can be configured to acquaint the ambassador about frequent
MAC abode moves. Archetype 2-8 shows the Cisco IOS agreement to accredit this.
Although it is not activity to stop an advance from occurring, MAC notification provides a
pointer to a potentially apprehensive activity. For example, in Archetype 2-9, the activity on a
Linux host triggers this MAC notification alert.
21:17:03.057055 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >
10.20.20.1.telnet: . [tcp sum ok] ack 321387993 win 4128 [tos 0xc0] (ttl 255, id
1, len 40)
21:17:03.057232 0:0:65:4:0:0 0:0:0:20:0:0 ip 72: 10.20.20.2.48643 >
10.20.20.1.telnet: P [tcp sum ok] 0:18(18) ack 1 win 4128 [telnet DO SUPPRESS GO
AHEAD, WILL TERMINAL TYPE, WILL SEND LOCATION, WILL TSPEED, WILL NAWS, WILL LFLOW]
[tos 0xc0] (ttl 255, id 2, len 58)
[etc.]
Example 2-8 Enabling MAC Abode Moves Alarms on Cisco Switches
6K-1-720(config)# mac-address-table notification ?
mac-move Accredit Mac Move Notification
6K-1-720(config)#mac-address-table notification mac-move ?
Example 2-9 MAC Bluffing Detected by MAC Notification
[root@client root]# ifdown eth1
[root@client root]# macchanger --mac 00:00:09:03:00:02 eth1
Current MAC: 00:00:00:20:00:00 (Xerox Corporation)
Faked MAC: 00:00:09:03:00:02 (Xerox Corporation)
[root@client root]# ifup eth1
Dec 23 22:08:19.108: %MAC_MOVE-SP-4-NOTIF: Host 0000.0903.0002 in vlan 20 is
flapping amid anchorage Fa3/25 and anchorage Gi1/15