Get started
Back to Blog

MAC Flooding: Effective Strategies to Combat Network Attacks

MAC flooding is a network attack that intends to overwhelm a switch (a device that directs data packets to specific MAC addresses), causing it to enter a fail-safe mode. A network switch, when overwhelmed, enters an “open” mode where all information is sent to every port to avoid taking down the network. Since all data is transmitted to every MAC address, the security of a network is compromised. Normally, a switch would only send data to specific ports and addresses. In the fail-safe mode, port security is compromised as all information is transmitted to every port.

5 min read

In This Article
  1. What is MAC Flooding?
  2. How Do MAC Flooding Attacks Work?
  3. How Can You Detect MAC Flooding?
  4. How to Prevent MAC Flooding Attacks?
  5. What is the Difference Between ARP Poisoning and MAC Flooding?
  6. What Steps Should You Take if Attacked?

What is MAC Flooding?

MAC flooding sends a large number of fake MAC addresses to a network switch. A MAC address is a unique identifier for a Network Interface Card (NIC) of a device that’s connected to the network while a network switch is, simply put, a relay station that forwards data between devices based on MAC addresses.

During normal operation, a device would create a data packet that stores three essential parts:

  1. Its own MAC address.
  2. Destination MAC address.
  3. Data payload (i.e., the actual information that has to be sent).

The data packet in question is then forwarded to the network switch. It will then lookup the MAC address and port table that showcases where to forward the data packet to.

If the MAC address is not known to the network switch, it will enter broadcast mode wherein the data packet is transmitted to all devices in the network. The destination device will respond back to the switch, ensuring proper operation.

To avoid broadcasting all data to all devices at all times, the network switch stores information about the destination device’s MAC address and port in the table. Such an action improves port security and network efficiency.

As with all hardware devices, the MAC table in the network switch can store a finite number of addresses. If too many MAC addresses are stored, the network switch is overloaded and changes to the fail-safe “open” mode.

The safe mode is a backup that’s intended to avoid taking down the entire network whenever the address table is flooded. There’s a tradeoff, however, as the switch enters broadcast mode for all incoming data packets, compromising network performance and port security.

How Do MAC Flooding Attacks Work?

MAC flooding attacks intentionally overwhelm the network switch by sending a large number of packets with different, fake MAC addresses. The table is thus overflown, causing the switch to enter broadcast mode wherein all devices receive all data packets.

While the MAC flood attack could be done purely for network performance degradation, a more common application is to spy on all traffic in the network. If the attacker floods the network switch’s MAC address table while they have a legitimate device connected to the same network, they start receiving all data packets as well.

As such, they may start intercepting and eavesdropping on network traffic and collect valuable information for as long as the MAC address flooding attack lasts.

How Can You Detect MAC Flooding?

Detecting MAC flooding attacks may require specialized software. While there’s a certain network performance degradation that happens, it may be easily assigned to a different reason or may be hard to notice.

Network monitoring software (e.g.,Wireshark) should be employed to analyze traffic and congestion if a MAC flooding attack is suspected. Some software may even send automatic alerts about abnormal network traffic.

Suspicions should arise if there are frequent, unexplained network slowdowns and performance degradation. Another way to check is to connect to the network switch (through SSH or Telnet) and run one of these commands:

Cisco switches:

[show processes cpu history]

HP/Aruba switches:

[enable]

[show system cpu]

Juniper switches:

[show chassis routing-engine]

All of these commands show the CPU utilization and processes. If a MAC flooding attack is happening, CPU utilization will be unusually high.

How to Prevent MAC Flooding Attacks?

There’s many ways to prevent a MAC flooding attack, ranging from monitoring to changing network switch settings. Most of these prevention techniques require some interaction from the user and may change how the network behaves.

First, there’s always the possibility of changing the switch settings. The MAC address table is configurable through software. Users can enable port security features that limit the amount of ports and MAC addresses that can be stored in the MAC address table.

Additionally, the same feature allows users to set one of several actions to be taken when the MAC address table for a specific port is overwhelmed. The network switch may initiate a shutdown, preventing any data packets from being sent, restrict further devices from being added to the MAC address table and generating an alert, and, finally, simply drop any new devices from being added.

Another option that doesn’t directly involve the switch’s MAC address table is to set up virtual LANs on larger networks. A VLAN segments the entire network into smaller chunks, so if any one is affected by a MAC flooding attack, other segments are unaffected.

Finally, there’s the possibility of using the switch to set up MAC address filtering. Doing so can prevent any new MAC address from being added to the table, however, it may be a bit annoying to deal with if new, legitimate devices are being connected to the network frequently.

What is the Difference Between ARP Poisoning and MAC Flooding?

A similar and often mislabeled attack is ARP (Address Resolution Protocol) poisoning. Instead of attempting to overwhelm the switch with a MAC flooding attack, a hacker spoofs his ARP message to associate his MAC address with the IP address of a legitimate device. Usually, the intention is to intercept important traffic.

These two attacks, however, are completely different, even if, on some level, they achieve similar goals. An ARP attack usually affects only a single device on the network while a MAC flooding attack affects the entire network.

Additionally, preventing MAC flooding and preventing ARP poisoning relies on entirely different security measures. So, these two attacks, while having some relation to each through MAC addresses, are extremely different.

What Steps Should You Take if Attacked?

If you suspect a MAC flooding attack is happening, there’s only a few good steps you can take. First, if possible, disconnect all devices in the network to stop the attack from happening. While only some devices may seem to be affected by degradation, the attacker may be collecting packet data, so performance degradation is the least of your concerns.

In any case, you should start reconfiguring the network switch as soon as possible. If you’re taking care of everything during the attack itself, your best bet is to set a low number of MAC addresses for each port. It will inevitably drop some legitimate devices, but it will also surely stop the attack from happening.

If possible, you should then turn to finding out the source of the MAC flooding attack. These attacks don’t happen accidentally, so you know someone is intentionally attacking your network.

All further steps should follow regular good practices of network security. A post-mortem analysis should be conducted with clearly outlined further actionable steps.

Additionally, employees should be trained on the topic to get a better overall understanding within the organization about MAC flooding. Finally, security protocols should be reviewed carefully to prevent further attacks from happening.

Share article

Related articles

4 min read

Best Residential VPN Providers in 2024

A Virtual Private Network (VPN) encrypts your traffic and hides your IP address. The way these functions are accomplished affects various aspects of your online privacy and security. Here, we'll consider using residential IP addresses instead of those originating from a data center. A residential VPN has advantages compared to traditional ones, but there are some caveats. It all boils down to residential VPN providers. The worst ones may even create more risks than benefits. We'll end this article with a list of the best residential VPN providers on the market.

3 min read

Ethernet vs Wi-Fi: Which One is Better?

Ethernet and Wi-Fi are the two main ways to connect your computer to the internet. While Wi-Fi has received significantly more attention in recent years, especially among consumers, due to its simplicity and flexibility, ethernet is still widely used in various other applications. Even if Wi-Fi is significantly more popular, it isn’t strictly better. Both methods have their benefits and drawbacks. Wi-Fi’s popularity comes from its ease-of-use and flexibility, but an ethernet connection can be much more useful in certain scenarios.

4 min read

How to Change Chrome Proxy Settings: The Ultimate Guide

A proxy server is an easy alternative to a VPN that can perform most of the functions of the latter. It’s a server that stands between your device and the destination server, taking your connection requests and forwarding them in your name. Destination servers in almost all cases see the proxy server as the originator of the request. As such, proxies are widely used in various, mostly business-related applications whenever privacy, security, location changing, and several other factors are at play.