CAM Table Overflow

From Hakipedia
Jump to: navigation, search
An intruder is attacking the switch port #3 with a flood of invalid MAC addresses.

Content Addressable Memory (CAM) Table Overflow is a Layer 2 attack on a switch.



Exploit Likeliness



A switch's CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. CAM Table Overflows occur when an influx of MAC addresses are flooded into the table and the CAM table threshold is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a CAM Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network.

MAC Flooding

MAC address flooding is an attack technique used to exploit the memory and hardware limitations in a switch's CAM table. Different switch's are able to store numerous amounts of entries in the CAM table, however, once the resources are exhausted, the traffic is flooded out on the VLAN, as the CAM table can no longer store MAC addresses, thus is no longer able to locate the MAC destination MAC address within a packet.

Due to hardware restrictions, all CAM tables have a limited size. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker is able to exploit this limitation by flooding the switch with an influx of (mostly invalid) MAC addresses, until the CAM tables resources are depleted. When the aforementioned transpires, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This is due to the fact that it cannot find the switch port number for a corresponding MAC address within the CAM table. By definition, the switch, acts like, and becomes a hub.

In order for the switch to continue acting like a hub, the intruder needs to maintain the flood of MAC addresses. If the flooding stops, the timeouts that are set on the switch will eventually start clearing out the CAM table entries, thus enabling the switch return to normal operation. Traffic is only flooded within the local VLAN when a CAM table overflow occurs, albeit the attacker will only be able to sniff traffic belonging to the local VLAN on which the attack occurs.


Output of dsniff's macof injecting MAC address packets into the CAM table.

It is trivial to overflow CAM table with invalid MAC addresses, thus all switches should implement security preventing this. Port Security is enough to prevent this type of attack on a Cisco switch. Port Security can be set to only allow a specified amount of MAC addresses to connect to the switch port over a certain amount of time.

To overflow a CAM table using a Debian based distribution of GNU/Linux (Debian, (k)Ubuntu etc, it's very simple. The standard Debian repositories store the tools needed for a successful attack, and can be easily obtained with aptitude. To use aptitude to obtain the required tools, su to root (or sudo) and type the following:

root@hakipedia:~/# aptitude install dsniff

The above will install the dsniff packages–macof is part of the dsniff toolbox, and can be used to perform CAM Table Overflow's. dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.[1]

In order to attack the CAM table and cause it to overflow, simply install dsniff, and type "macof" in a terminal window. This immediately starts flooding the CAM table with invalid MAC addresses. To stop the attack, press CTRL+Z concurrently.

root@hakipedia:~/# macof
root@hakipedia:~/# ^Z

When the entry threshold in the CAM Table has been reached, packets will be flooded out of all ports by the switch in behaviour similar to that of a hub. To take advantage of this, launch a packet sniffer such as Wireshark to begin sniffing packets.


Mitigation of the CAM table-overflow attack can be achieved by configuring port security on the switch. This will allow MAC addresses to be specified on a particular switch port, or alternatively, specify the maximum number of MAC addresses that the switch port can learn. If an invalid MAC address is detected on the switch port, the port can be shut down, or the MAC address can be blocked.

A number of factors should be considered when deciding which type of port security to use: the security specifications of the VLAN being protected on that particular switch port, or manageability and scalability. If the VLAN only holds a few MAC addresses, specifying said MAC addresses is the better solution. As it is an inviable solution in large production environments, the specification of MAC addresses may prove to be impractical to implement. The limitation of the number of MAC addresses on a switch port however, would be a feasible solution.

Sticky MAC addresses are also a viable solution when implementing the mean to mitigate CAM Table Overflows with Cisco IOS. Sticky MAC addresses allow MAC addresses to be dynamically learned and limit port access to said MAC address. The MAC address will be learned when the first MAC address attempts to connect to the port and will be written to the running configuration. For scalability, the implementation of dynamic port security is Cisco's recommended solution.

Cisco IOS Mitigation

switch(config-if)# switchport mode access
!Set the interface mode as access!
switch(config-if)# switchport port-security
!Enable port-security on the interface!
switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }
!Enable port security on the MAC address as H.H.H or record the first MAC address connected to the interface!
switch(config-if)# switchport port-security maximum <max_addresses>
!Set maximum number of MAC addresses on the port!
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }
!Protect, Restrict or Shutdown the port. Cisco recommends the shutdown option!

CatOS Mitigation

Console> (enable) set port security mod/port enable
!Enables port security or unicast flood!
Console> (enable) set port security mod/port <mac_address>
!Secures MAC address of the enabled port!
Console> (enable) set port security mod/port maximum <max_addresses>
!Maximum number of MAC addresses to secure on the port; valid values are from 1 to 1025!
Console> (enable) set port security mod/port violation { shutdown | restrict }
!Action to be taken in the event of a security violation!
Console> (enable) set port security mod/port age <age>
!Duration for which addresses on the port will be secured; valid values are 0 (to disable) and from 1 to 1440 (minutes)!
Console> (enable) set port security mod/port shutdown <shutdown_time>
!Sets the amount of time to shutdown the port for!

!NOTE: mod/port = Number of the module and the port on the module!

Juniper Mitigation

root@switch# set interface { <interface> | all } mac-limit <limit> action { none | drop | log | shutdown }
# Set the maximum number of MAC addresses allowed to connect to the interface
root@switch# set interface { <interface> | all } allowed-mac <mac_address>
# Set the allowed MAC address(es) allowed to connect to the interface

HP Mitigation

(config)# port security
!Enters the port security configuration mode!
(config-port-security)# enable
!Globally enables port security!
(config-port-security)# age <age>
!Sets the age out timer of the secure MAC address. <age> = number of minutes!
(config-port-security)# autosave <mins>
!Automatically saves the secure MAC addresses to the startup-config file every <mins> minutes!
(config)# int <interface>
!Enters the interface configuration mode!
(config-if-<interface>)# port security
!Enters port security configuration mode on interface!
(config-if-port-security-<interface>)# enable
!Enables port security on interface!
(config-if-port-security-<interface>)# maximum <max>
!Sets the maximum number of secure MAC addresses for the interface!
(config-if-port-security-<interface>)# age <age>
!Sets the age out timer of the secure MAC address associated with interface. <age> = number of minutes!
(config-if-port-security-<interface>)# secure <mac_address>
!Manually specifies secure MAC address authorised by the switch port!
(config-if-port-security-<interface>)# violation { restrict | shutdown }
!If violation occurs: restrict = drops packets from violating address, shutdown = shutdown the port for <time> minutes!

Netgear Mitigation

<code> (Config)# interface <interface>
!Enter the interface configuration mode for <interface>!
(Interface <interface>)# port-security
!Enables port-security on the interface!
(Interface <interface>)# port-security max-dynamic <maxvalue>
!Sets the maximum of dynamically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security max-static <maxvalue>
!Sets the maximum number of statically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security mac-address <vid> <mac-address>
!Adds a MAC address to the list of statically locked MAC addresses. <vid> = VLAN ID!
(Interface <interface>)# port-security mac-address move
!Converts dynamically locked MAC addresses to statically locked addresses!
(Interface <interface>)# snmp-server enable traps violation
!Enables the sending of new violation traps designating when a packet with a disallowed MAC address is received on a locked port!