MAC Flooding Alternative MAC Spoofing Attacks

All MAC flooding tools force a switch to "fail open" to later perform selective MAC spoofing attacks. A MAC spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC address already in use on the VLAN. This causes the switch to forward frames out the incorrect port, as Figure 2-6 shows.

Figure 2-6 Spoofing a MAC Address

0000.CAFE.0000

0000.CAFE.0000

MAC Address

VLAN

Interface

B

5

Fa0/2

B

5

Fa0/3

MAC C macof

Although they're extremely easy to carry out (most Ethernet adapters permit their MAC address to be modified), MAC spoofing attacks come with a significant drawback: Unlike MAC flooding attacks, they have the potential to cause an immediate denial of service (DoS) to the spoofed host. In Figure 2-6, as soon as the impostor on host C masquerades as host B, host B completely stops receiving traffic. That is because a given source MAC address cannot appear simultaneously on different ports inside a common VLAN. The switch updates its table based on the most recently seen frame. Traffic to host B can resume if—and only if—the genuine host B sources a frame, thereby again updating the switch's bridging table.

Was this article helpful?

0 0

Post a comment