Attacks on switch devices

Significant attacks in these categories, known as of this writing, are discussed in more detail in subsequent sections of the course. Each attack method is accompanied by a standard measure for mitigating the security compromise.

Building Cisco Multilayer Switched Networks (BCMSN) v3.0

© 2006 Cisco Systems, Inc.

Switch Security Concerns and Mitigation Steps

The table describes attack methods and the steps to mitigation.

Attack Method


Steps to Mitigation

MAC Layer Attacks

MAC address flooding

Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.

Port security.

MAC address VLAN access maps.

VLAN Attacks

VLAN hopping

By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures.

Tighten up trunk configurations and the negotiation state of unused ports.

Place unused ports in a common VLAN.

Attacks between devices on a common VLAN

Devices may need protection from one another, even though they are on a common VLAN. This is especially true on serviceprovider segments that support devices from multiple customers.

Implement private VLANs (PVLANs).

Spoofing Attacks

DHCP starvation and DHCP spoofing

An attacking device can exhaust the address space available to the DHCP servers for a period of time or establish itself as a DHCP server in man-in-the-middle attacks.

Use DHCP snooping.

Spanning tree compromises

Attacking device spoofs the root bridge in the STP topology. If successful, the network attacker can see a variety of frames.

Proactively configure the primary and backup root devices.

Enable root guard.

MAC spoofing

Attacking device spoofs the MAC address of a valid host currently in the CAM table. Switch then forwards frames destined for the valid host to the attacking device.

Use DHCP snooping, port security.

Address Resolution Protocol (ARP) spoofing

Attacking device crafts ARP replies intended for valid hosts. The attacking device's MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device.

Use Dynamic ARP Inspection.

DHCP snooping, port security.

Switch Device Attacks

Cisco Discovery Protocol (CDP) manipulation

Information sent through CDP is transmitted in clear text and unauthenticated, allowing it to be captured and divulge network topology information.

Disable CDP on all ports where it is not intentionally used.

Secure Shell Protocol (SSH) and Telnet attacks

Telnet packets can be read in clear text. SSH is an option but has security issues in version 1.

Use SSH version 2. Use Telnet with vty ACLs.

© 2006 Cisco Systems, Inc. Minimizing Service Loss and Data Theft in a Campus Network 8-7

Describing a MAC Flooding Attack

This topic describes how a MAC flooding attack works to overflow a CAM Campus Backbone Layer table.

MAC Flooding Attack

A common Layer 2 or switch attack as of this writing is MAC flooding, resulting in a switch's CAM table overflow, which causes flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.

A switch's CAM tables are limited in size and therefore can contain only a limited number of entries at any one time. A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses. If enough new entries are made before old ones expire, new valid entries will not be accepted. Then, when traffic arrives at the switch for a legitimate device that is located on one of the switch ports that was not able to create a CAM table entry, the switch must flood frames to that address out all ports. This has two adverse effects:

■ The switch traffic forwarding is inefficient and voluminous.

■ An intruding device can be connected to any switch port and capture traffic that is not normally seen on that port.

If the attack is launched before the beginning of the day, the CAM table would be full when the majority of devices are powered on. Then frames from those legitimate devices are unable to create CAM table entries as they power on. If this represents a large number of network devices, the number of MAC addresses for which traffic will be flooded will be high, and any switch port will carry flooded frames from a large number of devices.

If the initial flood of invalid CAM table entries is a one-time event, the switch will eventually age out older, invalid CAM table entries, allowing new, legitimate devices to create entries.

8-8 Building Cisco Multilayer Switched Networks (BCMSN) v3.0 © 2006 Cisco Systems, Inc.

Traffic flooding will cease and may never be detected, even though the intruder may have captured a significant amount of data from the network.

As the figure shows, MAC flooding occurs in this progression.

MAC Flooding Attack Progression

The table describes MAC flooding attack progression.




Switch forwards traffic based on valid CAM table entries.


Attacker (MAC address C) sends out multiple packets with various source MAC addresses.


Over a short period of time, the CAM table in the switch fills up until it cannot accept new entries. As long as the attack is running, the CAM table on the switch will remain full.


Switch begins to flood all packets that it receives out of every port so that frames sent from host A to host B are also flooded out of port 3 on the switch.

Was this article helpful?

0 0

Post a comment