1
00:00:00,000 --> 00:00:02,850
In this lesson, we'll discuss MAC flooding.

2
00:00:02,850 --> 00:00:04,830
MAC flooding is a network attack technique

3
00:00:04,830 --> 00:00:07,350
that attempts to compromise the security of a network switch

4
00:00:07,350 --> 00:00:09,960
by attempting to overflow the switches MAC table.

5
00:00:09,960 --> 00:00:11,340
Under normal operations,

6
00:00:11,340 --> 00:00:13,920
a switch uses the media access control address table,

7
00:00:13,920 --> 00:00:15,180
known as a MAC table,

8
00:00:15,180 --> 00:00:16,590
to associate each switch port

9
00:00:16,590 --> 00:00:18,210
with the MAC address of the device

10
00:00:18,210 --> 00:00:20,250
that's connected to that switch port.

11
00:00:20,250 --> 00:00:21,300
This method helps to ensure

12
00:00:21,300 --> 00:00:23,730
that the efficient data forwarding to the correct recipient

13
00:00:23,730 --> 00:00:25,920
is going to be performed by your switch.

14
00:00:25,920 --> 00:00:27,540
Now in a MAC flooding attack,

15
00:00:27,540 --> 00:00:29,250
the attacker attempts to inundate the switch

16
00:00:29,250 --> 00:00:30,660
with fake MAC addresses

17
00:00:30,660 --> 00:00:33,270
until the MAC address table simply fills up.

18
00:00:33,270 --> 00:00:35,670
Once the MAC address table of the switch gets too full,

19
00:00:35,670 --> 00:00:37,560
the switch will enter a fail-safe mode,

20
00:00:37,560 --> 00:00:39,120
and it begins to act like a hub

21
00:00:39,120 --> 00:00:40,350
and starts broadcasting packets

22
00:00:40,350 --> 00:00:42,900
to all the switch ports instead of only sending traffic

23
00:00:42,900 --> 00:00:45,570
to the destination device over a single switch port

24
00:00:45,570 --> 00:00:47,610
because it can't keep up with the demand.

25
00:00:47,610 --> 00:00:49,290
This will in turn compromise the security

26
00:00:49,290 --> 00:00:51,150
and efficiency of your network.

27
00:00:51,150 --> 00:00:54,360
So you may be wondering why would an attacker want to conduct

28
00:00:54,360 --> 00:00:55,860
a MAC flooding attack?

29
00:00:55,860 --> 00:00:57,810
Well, there are three main reasons an attacker

30
00:00:57,810 --> 00:00:58,950
would want to do this:

31
00:00:58,950 --> 00:01:01,050
data snooping, disrupting services,

32
00:01:01,050 --> 00:01:03,060
and bypassing security measures.

33
00:01:03,060 --> 00:01:04,950
First, we have data snooping.

34
00:01:04,950 --> 00:01:07,020
By forcing the switch to broadcast traffic,

35
00:01:07,020 --> 00:01:07,980
an attacker can snoop

36
00:01:07,980 --> 00:01:10,290
or capture sensitive data from the network.

37
00:01:10,290 --> 00:01:12,000
Whenever the switch operates like a hub

38
00:01:12,000 --> 00:01:13,980
when that MAC address table is overflowing,

39
00:01:13,980 --> 00:01:16,020
the attacker can simply place their own network card

40
00:01:16,020 --> 00:01:17,910
into what's known as promiscuous mode

41
00:01:17,910 --> 00:01:20,220
and listen to and capture any network traffic

42
00:01:20,220 --> 00:01:22,200
that's being sent through that switch.

43
00:01:22,200 --> 00:01:24,570
This allows the attacker to breach your confidentiality

44
00:01:24,570 --> 00:01:25,590
because they can now capture

45
00:01:25,590 --> 00:01:27,630
and view the contents of your network traffic

46
00:01:27,630 --> 00:01:29,970
as it's passing through the flooded switch.

47
00:01:29,970 --> 00:01:32,310
Second, we have disruption of services.

48
00:01:32,310 --> 00:01:33,660
By conducting MAC flooding,

49
00:01:33,660 --> 00:01:35,520
an attacker can degrade your network performance

50
00:01:35,520 --> 00:01:37,230
and cause a denial of service attack

51
00:01:37,230 --> 00:01:38,610
by simply overwhelming the network

52
00:01:38,610 --> 00:01:40,860
with all this unnecessary traffic.

53
00:01:40,860 --> 00:01:43,680
Third, we have bypassing of security measures.

54
00:01:43,680 --> 00:01:45,780
Now the use of MAC flooding can also help an attacker

55
00:01:45,780 --> 00:01:47,670
to bypass network security measures

56
00:01:47,670 --> 00:01:49,680
that rely on MAC address filtering.

57
00:01:49,680 --> 00:01:51,330
For example, many wireless

58
00:01:51,330 --> 00:01:52,650
and wired networks are configured

59
00:01:52,650 --> 00:01:54,720
with MAC-based access control.

60
00:01:54,720 --> 00:01:57,150
This security feature restricts network access

61
00:01:57,150 --> 00:02:00,300
by permitting or denying network access to specified devices

62
00:02:00,300 --> 00:02:02,520
based on their media access control address,

63
00:02:02,520 --> 00:02:04,140
which is a unique identifier assigned

64
00:02:04,140 --> 00:02:06,420
to the network interface of that device.

65
00:02:06,420 --> 00:02:07,740
In a network environment,

66
00:02:07,740 --> 00:02:09,419
administrators can set a list of allowed

67
00:02:09,419 --> 00:02:11,070
or denied MAC addresses on a switch

68
00:02:11,070 --> 00:02:12,420
or a wireless access point

69
00:02:12,420 --> 00:02:13,350
and use that to control

70
00:02:13,350 --> 00:02:15,420
which devices can connect to the network.

71
00:02:15,420 --> 00:02:17,880
But if the switch is subjected to MAC flooding,

72
00:02:17,880 --> 00:02:20,310
the switch will simply be unable to process the allow list

73
00:02:20,310 --> 00:02:21,510
or block list associated

74
00:02:21,510 --> 00:02:23,640
with this type of MAC-based access control

75
00:02:23,640 --> 00:02:25,920
and the switch may fail to the open position,

76
00:02:25,920 --> 00:02:27,930
and this allows the devices to connect to the network

77
00:02:27,930 --> 00:02:30,660
even if they were not supposed to be authorized to do so.

78
00:02:30,660 --> 00:02:34,200
So how is MAC flooding actually performed by an attacker?

79
00:02:34,200 --> 00:02:37,230
Well, MAC flooding is actually a simple attack to execute

80
00:02:37,230 --> 00:02:38,730
and requires minimal resources

81
00:02:38,730 --> 00:02:41,520
to cause significant disruptions inside of your network.

82
00:02:41,520 --> 00:02:43,380
Attackers can use specialized tools

83
00:02:43,380 --> 00:02:45,600
that will generate numerous random MAC addresses

84
00:02:45,600 --> 00:02:48,330
and send frames with these fake addresses to the switch.

85
00:02:48,330 --> 00:02:49,950
These frames are sent rapidly

86
00:02:49,950 --> 00:02:52,170
to fill up the switches MAC address table quickly,

87
00:02:52,170 --> 00:02:53,670
and this in turn forces a switch

88
00:02:53,670 --> 00:02:55,080
to enter that fail-safe mode

89
00:02:55,080 --> 00:02:57,150
where it starts broadcasting all the incoming traffic

90
00:02:57,150 --> 00:02:58,950
out of all of its switch ports.

91
00:02:58,950 --> 00:03:00,360
As a network administrator,

92
00:03:00,360 --> 00:03:01,830
you need to understand how to detect

93
00:03:01,830 --> 00:03:02,910
and prevent MAC flooding

94
00:03:02,910 --> 00:03:04,770
from occurring on your networks too.

95
00:03:04,770 --> 00:03:06,000
To secure your networks,

96
00:03:06,000 --> 00:03:06,833
you should implement

97
00:03:06,833 --> 00:03:09,780
an anomaly-based intrusion detection system or an IDS

98
00:03:09,780 --> 00:03:11,730
to help in identifying unusual increases

99
00:03:11,730 --> 00:03:13,020
in MAC address entries

100
00:03:13,020 --> 00:03:15,510
or spikes inside of your broadcast traffic.

101
00:03:15,510 --> 00:03:17,400
You should also set up network monitoring tools

102
00:03:17,400 --> 00:03:18,510
to alert your administrators

103
00:03:18,510 --> 00:03:20,100
about any unusual traffic patterns

104
00:03:20,100 --> 00:03:23,370
or sudden changes in the network's operational metrics.

105
00:03:23,370 --> 00:03:25,170
To prevent MAC flooding from occurring,

106
00:03:25,170 --> 00:03:27,720
you should configure your switches to use port security.

107
00:03:27,720 --> 00:03:29,580
Now, configuring port security on switches

108
00:03:29,580 --> 00:03:31,050
can limit the number of MAC addresses

109
00:03:31,050 --> 00:03:32,277
that are allowed on a single port,

110
00:03:32,277 --> 00:03:34,800
and this effectively will prevent the MAC address table

111
00:03:34,800 --> 00:03:36,960
from becoming overwhelmed too quickly.

112
00:03:36,960 --> 00:03:38,370
Another configuration that you can use

113
00:03:38,370 --> 00:03:40,320
to prevent MAC flooding is to set the limit

114
00:03:40,320 --> 00:03:41,940
on the number of MAC addresses learned

115
00:03:41,940 --> 00:03:43,140
from each switch port.

116
00:03:43,140 --> 00:03:45,240
And this will prevent the switch from becoming overloaded.

117
00:03:45,240 --> 00:03:47,220
And this can also ensure that only legitimate devices

118
00:03:47,220 --> 00:03:49,230
are being connected to your network.

119
00:03:49,230 --> 00:03:51,210
Finally, you need to implement VLANs

120
00:03:51,210 --> 00:03:53,160
to create network traffic segmentations

121
00:03:53,160 --> 00:03:54,900
because this will also help limit the impact

122
00:03:54,900 --> 00:03:57,270
of a MAC flooding attack if one is successful

123
00:03:57,270 --> 00:03:59,100
on a single segment of your network.

124
00:03:59,100 --> 00:04:01,740
Now, it'll only affect a single segment of your network

125
00:04:01,740 --> 00:04:03,330
instead of affecting the entire network

126
00:04:03,330 --> 00:04:05,100
because you've sliced and diced up your network

127
00:04:05,100 --> 00:04:07,560
into these smaller segments by using VLANs.

128
00:04:07,560 --> 00:04:10,380
So remember, MAC flooding is a network attack technique

129
00:04:10,380 --> 00:04:12,870
that attempts to compromise the security of a network switch

130
00:04:12,870 --> 00:04:15,480
by attempting to overflow the switches MAC table.

131
00:04:15,480 --> 00:04:17,459
MAC flooding targets the core functionalities

132
00:04:17,459 --> 00:04:18,510
of a network switch

133
00:04:18,510 --> 00:04:20,550
and aims to compromise the data integrity

134
00:04:20,550 --> 00:04:22,650
and network performance of your systems.

135
00:04:22,650 --> 00:04:24,450
By understanding the nature of this attack,

136
00:04:24,450 --> 00:04:26,430
you can implement robust detection mechanisms

137
00:04:26,430 --> 00:04:27,600
and preventative measures,

138
00:04:27,600 --> 00:04:29,970
such as using port security, anomaly detection,

139
00:04:29,970 --> 00:04:31,470
and vigilant network monitoring,

140
00:04:31,470 --> 00:04:32,640
to better protect your network

141
00:04:32,640 --> 00:04:34,790
against MAC flooding attacks in the future.