Network attacks take many forms, and it's important to know how the potential security issues with ARP, DHCP, and MAC addresses. They're innocent looking enough, but each of these common network protocols and addresses can be turned against us. Today, we'll talk about what MAC Address Flooding is, how it can be used against our network, and the best defense against this attack.
A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. The intruder generates a large number of frames with different source MAC addresses - all of them invalid. As the switch's MAC address table capabilities are exhausted, valid entries cannot be made - and this results in those valid frames being broadcast instead of unicast.
This has two side effects, both unpleasant:
As mentioned, the MAC address table fills to capacity, preventing legitimate entries from being made.
The large number of unnecessary frame flooding quickly consumes bandwidth as well as overall switch resources.
The best defense against MAC Address Flooding is a good offense, and in this case, that offense consists of port-based authentication and port security. By making sure our host devices are indeed who we think they are and authenticating them before they join our network, we reduce the potential for an intruder to unleash a MAC Address Flooding attack on our network. The key isn't to fight the intruder once they're in our network - the key is to keep them out in the first place!
