MAC Spoofing Attack

A MAC spoofing attack is where the intruder sniffs the network for valid MAC addresses and attempts to act as one of the valid MAC addresses. The intruder then presents itself as the default gateway and copies all of the data forwarded to the default gateway without being detected. This provides the intruder valuable details about applications in use and destination host IP addresses. This enables the spoofed CAM entry on the switch to be overwritten as well. This is best illustrated in Figure 3-9.

Figure 3-9 MAC Spoof Attack

Figure 3-9 MAC Spoof Attack


CAM Table Port 1 Empty Port 2 B Port 3 AC

Step 1 in Figure 3-9 demonstrates the three discovered devices (Devices A, B, and C) in the CAM table. Device C is an intruder. After spoofing the MAC address of Device A (remember, the initial frame when a CAM table is empty is sent to all ports except the source port), Device C sends out a frame with the source address of MAC A, with a new spoofed IP address. The switch relearns the MAC address and changes the CAM table entries in Step 2 of the attack. Now when Device B wishes to communicate to the legitimate Device A, the switch sends the packet according to the CAM table, which is now Port 3 or the attacking PC. Until Device A resends packets, the data flow will remain and the attacker will receive and view active data. By ensuring that any ARP requests are replied to, the intruder can maintain the connection until manual intervention occurs from the network administrator.

Mitigating this form of attack takes a little more design because the attacker is far more intelligent. To start with, you must enable port security. Example 3-41, earlier in the chapter, displays how this can be achieved.

However, as with the CAM table overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Another solution would be to use private VLANs to help mitigate these network attacks.

Using private VLANs is a common mechanism to restrict communications between systems on the same logical IP subnet. This is not a fool-proof mechanism. Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. To configure a private VLAN on switch-based Cisco IOS or Catalyst OS, follow these steps:

Step 1 Create the primary private VLAN.

Switch_CatOS> (enable) set vlan primary_vlan_id pvlan-type primary name primary_vlan

Switch_IOS(config)#vlan primary_vlan_id

Step 2 Create the isolated VLAN(s).

Switch_CatOS> (enable) set vlan secondary_vlan_id pvlan-type isolated name isolated_pvlan Switch_CatOS> (enable) set pvlan primary_vlan_id secondary_vlan_id

Step 3 Bind the isolated VLAN(s) to the primary VLAN.

Switch_CatOS> (enable) set pvlan primary_vlan_id secondary_vlan_id Switch_IOS(config)#vlan primary_vlan_id

Switch_IOS(config-vlan)#private-vlan association secondary_vlan_id


The best method, in conjunction with port security, is to use DHCP snooping mechanisms to ensure that only valid DHCP servers are enabled across your network. One DHCP snooping mechanism is to permit only trusted DHCP messages to flow between client PC and authorized DHCP servers. The ideal solution to mitigate various ARP-based network exploits is the use of DHCP snooping along with Dynamic ARP Inspection (DAI).

When a client sends out a broadcast message for an IP address, the intruder's PC also sees the request, of course, because broadcasts are sent out to all interfaces or ports except the source port. So, in effect, the network must not allow DHCP offers, acknowledgements, or negative acknowledgements (DHCPOffer, DHCPAck, or DHCPNak) to be sent from untrusted sources.

Illegal DHCP messages are messages received from outside the network or firewall. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information corresponding to the local untrusted interfaces of a switch; it does not, however, contain information regarding hosts interconnected with a trusted interface. By configuring trusted and untrusted DHCP sources, the switch can be configured to drop illegal frames immediately. DHCP snooping will still not stop an intruder sniffing for MAC addresses.

DAI determines the validity of an ARP packet based on the valid MAC address—to—IP address bindings stored in a DHCP snooping database. This means that only valid MAC addresses are permitted to reply to authorized devices on the network. Some really crafty attackers are out there waiting to pounce on networks, and for a majority of them these features are not enabled, so it is a gold mine in many parts of the world even in today's climate.

To enable DHCP snooping, the following commands are required. Example 3-44 enables DHCP snooping. Notice that the only supported platforms are switches with Cisco IOS-based software.

Example 3-44 Enabling MAC Spoofing on Cisco IOS Switches

!Catalyst IOS switches CatIOS(config)# ip dhcp snooping

CatIOS (config)# ip dhcp snooping vlan number [number] CatIOS (config)# ip dhcp snooping information option ! Enable trusted ports on the DHCP server interface CatIOS (config-if)# ip dhcp snooping trust

Was this article helpful?

+8 0


  • callum
    What is MAC spoofing attack?
    8 months ago
  • merigo
    How to prevent mac address spoofing attack?
    3 months ago
  • tony
    Is mac spoof arp spoofing?
    2 months ago
  • umberto
    How to protect default gateway mac address spoofing?
    2 months ago

Post a comment