Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port.

For example, consider Figure 6-7. PC1 sends packets to PC2 via switch SW1. Because the switch knows the MAC addresses of PC1 and PC2 in its CAM table, the traffic flows only between interface Gig 0/1 and Gig 0/2.

Figure 6-7 Normal Switch Operation

CAM Table for SW1

Port

MAC Addresses

Gig0/1

AAAA.AAAA.AAAA

Gig0/2

DDDD.DDDD.DDDD

Gig0/3

BBBB.BBBB.BBBB

Data Flow

Data Flow

MAC: BBBB.BBBB.BBBB

The switch's CAM table, however, does have a finite size. Therefore, if the CAM table ever fills to capacity, the switch is unable to learn new MAC addresses. As a result, when frames arrive destined for these unlearned MAC addresses, the switch floods a copy of these frames out all other switch interfaces, other than the interfaces they were received on.

The attacker's PC is connected to interface Gig 0/3, and the attacker wants to receive a copy of the traffic flowing between PC1 and PC2. If the attacker had caused the switch's CAM table to overflow before the switch learned the MAC addresses of PC1 and PC2, traffic between these two PCs would be flooded out all other switch ports, other than the ports the traffic was received on, allowing the attacker's PC to see and capture the traffic, as shown in Figure 6-8. This behavior of flooding frames with an unlearned destination MAC address is called fail-open mode.

Figure 6-8 Flooding Behavior After a CAM Table Overflow Attack

CAM Table for SW1

Key Topic

Port

Gig0/1

Gig0/2

MAC Addresses

Gig0/V Thousands of MAC Addresses

Data Flow

MAC: AAAA.AAAA.AAAA

Data Flow

Data Flow

Gig0/3

Attacker's PC MAC: BBBB.BBBB.BBBB

Gig0/3

MAC: DDDD.DDDD.DDDD

Attacker's PC MAC: BBBB.BBBB.BBBB

An attacker could launch a CAM table overflow attack using a utility such as macof, which is a component of a suite of utilities called dsniff. The macof utility can generate as many as 155,000 MAC addresses in a minute. After a short time, the switch learns so many MAC addresses from the attacker's PC that the switch's CAM table overflows, thus forcing the flooding of frames with unlearned MAC addresses. This type of attack noticeably impacts network performance, potentially causing applications to drop packets or even crash. As a result, a CAM table overflow attack is by no means a stealth attack, which an attacker might expect to launch without detection.

Keep in mind that the CAM table size can vary by switch model. Fortunately, Cisco Catalyst switches support a port security command, discussed later in this chapter. It allows the switch administrator to specify the maximum number of MAC addresses that can be learned on a port, thus preventing a CAM table overflow attack.

0 0

Post a comment