What is a MAC flooding attack?

A Media Access Control (MAC) address is used to identify connected devices on a network. A network switch maintains an address table to keep track of all connected devices on its different ports. A MAC flooding attack (also known as a MAC table overflow) involves bombarding network switches with Ethernet frames carrying random source MAC addresses. Typically, network switches have limited memory resources and can’t handle such a large number of MAC addresses. When a switch’s MAC table overflows, it acts as a hub and begins routing network traffic to all devices connected to the switch. This is considered one of the most significant steps in executing a man-in-the-middle (MITM) attack.

Performing a MAC flooding attack

The following slides show the steps involved in a MAC flooding attack.

The attacker first connects to the local network. They then send Ethernet frames to the switch, each with a different source MAC address. Since the switch’s MAC address table has limited capacity to store the MAC address to port mappings, the large number of frames with random MAC addresses overflow the table memory. Therefore, the switch starts routing traffic to all connected ports (similar to a network hub).

Protecting against MAC flooding attacks

The following are common techniques to protect against MAC flooding attacks:

• MAC filtering: Use allowlists and denylists to filter what devices are and aren’t allowed on the local network.

• Port security: Configure the switch to limit the number of MAC entities per port.

• Enforcing IEEE 802.1X: Implement rules such as authentication to control which devices are allowed to connect to the network using AAA servers.

• Network monitoring: Implement real-time monitoring to analyze network traffic and identify anomalies, such as high volumes of MAC address traffic directed to a specific port or set of ports.