Spoofing MAC Addresses

Another type of attack targeted at the switch's CAM table is a MAC address spoofing attack. An attacker sends a frame with a false source MAC address—specifically, the MAC address of another device on the network. Under normal conditions, as shown in Figure 6-9, the switch's CAM table contains the correct MAC address of the stations attached to the switch's ports.

Figure 6-9 CAM Table Under Normal Operation

CAM Table for SW1

Port

MAC Addresses

Gig0/1

AAAA.AAAA.AAAA

Gig0/2

DDDD.DDDD.DDDD

Gig0/3

BBBB.BBBB.BBBB

Data Flow

MAC: AAAA.AAAA.AAAA

Data Flow

Gig0/1

Gig0/2

MAC: AAAA.AAAA.AAAA

Gig0/3

Attacker's PC MAC: BBBB.BBBB.BBBB

Gig0/3

MAC: DDDD.DDDD.DDDD

MAC: DDDD.DDDD.DDDD

Attacker's PC MAC: BBBB.BBBB.BBBB

However, Figure 6-10 shows the attacker's PC sending a frame to the switch. It incorrectly shows a source MAC address of DDDD.DDDD.DDDD, which is actually the MAC address of PC2. This frame causes the switch to update its CAM table to show that DDDD.DDDD.DDDD is available off port Gig 0/3, which allows the attacker's PC to start capturing traffic destined for PC2.

Key Topic

Figure 6-10 MAC Address Spoofing Attack

CAM Table for SW1

MAC: AAAA.AAAA.AAAA

CAM Table for SW1

Port

MAC Addresses

Gig0/1

AAAA.AAAA.AAAA

Gig0/2

DDDD.DDDD.DDDD

Gig0/3

Gig0/2

Gig0/1

Gig0/2

MAC: AAAA.AAAA.AAAA

Frame with Source

Address of DDDD.DDDD.DDDD

Frame with Source

Address of DDDD.DDDD.DDDD

Gig0/3

Attacker's PC MAC: BBBB.BBBB.BBBB

Gig0/3

Attacker's PC MAC: BBBB.BBBB.BBBB

MAC: DDDD.DDDD.DDDD

MAC: DDDD.DDDD.DDDD

This condition of the attacker's PC receiving traffic for PC2, as shown in Figure 6-11, is a temporary condition. When PC2 sends another source frame into the switch, the switch relearns PC2's MAC address of DDDD.DDDD.DDDD on port Gig 0/2. However, even though the problem corrects itself, in the interim, the attack disrupts the normal traffic flow and allows the attacker to receive traffic intended for another device (that is, PC2 in this example).

Figure 6-11 Diverted Traffic Flow

CAM Table for SW1

Pott

MAC Addresses

Gig0/1

AAAA.AAAA.AAAA

Gig0/2

Gig0/3

BBBB.BBBB.BBBB DDDD.DDDD.DDDD

Gig0/1

Gig0/2

Gig0/3

MAC: AAAA.AAAA.AAAA

Gig0/1

Gig0/2

MAC: AAAA.AAAA.AAAA

Data Flow

Data Flow

Gig0/3

MAC: DDDD.DDDD.DDDD

MAC: DDDD.DDDD.DDDD

Attacker's PC MAC: BBBB.BBBB.BBBB

To mitigate MAC address spoofing attacks, a switch administrator can configure the Cisco Catalyst switch to use sticky secure MAC addresses. When configured for sticky secure MAC addresses, a Catalyst switch dynamically learns MAC addresses connected to various ports. These dynamically learned MAC addresses are added to the switch's running configuration, thus preventing an attacker from spoofing a previously learned address. Port security configuration is covered in great detail later in this chapter.

0 0

Post a comment