1
00:00:01,000 --> 00:00:05,430
Creation of a flood is to make a switch behave like a hub.

2
00:00:05,640 --> 00:00:10,620
As I mentioned before, a hub sends the packet it receives to all of its ports.

3
00:00:11,070 --> 00:00:15,030
However, a switch sends the packet only to the target system.

4
00:00:15,300 --> 00:00:18,210
So we can make this switch behave like a hub.

5
00:00:18,300 --> 00:00:24,690
Then it would send the packet to all of its ports and I could listen to the traffic even though I'm

6
00:00:24,690 --> 00:00:25,740
not the target.

7
00:00:26,490 --> 00:00:30,000
In a mac flooding attack within a very short time.

8
00:00:30,000 --> 00:00:34,920
The switches Mac address table is full with fake Mac address and port mappings.

9
00:00:35,190 --> 00:00:41,160
Once the switches Mac address table is full and it cannot save any more Mac addresses, it generally

10
00:00:41,160 --> 00:00:46,500
enters into a fail open mode and it starts behaving like a network hub.

11
00:00:46,770 --> 00:00:53,310
Ethernet switches uses Mac address tables to determine where to forward traffic on a LAN.

12
00:00:53,400 --> 00:01:00,600
So let's go step by step to understand how the Mac address table is built and used by an Ethernet switch

13
00:01:00,630 --> 00:01:04,530
to help traffic move along the path to its destination.

14
00:01:04,920 --> 00:01:11,160
Now suppose that all of the devices connected to the switch are powered on but have not sent any traffic

15
00:01:11,160 --> 00:01:11,700
yet.

16
00:01:11,850 --> 00:01:15,660
In this case, the Mac address table of the switch would be empty.

17
00:01:16,650 --> 00:01:21,030
Now suppose Computer A wants to send traffic to the server.

18
00:01:21,960 --> 00:01:26,850
It prepares an Ethernet frame and it sends it off toward the switch.

19
00:01:27,180 --> 00:01:34,530
The first thing the switch would do when receiving the traffic is to create a new entry in its Mac address

20
00:01:34,530 --> 00:01:37,140
table for computer A's Mac Address.

21
00:01:37,230 --> 00:01:38,160
Makes sense.

22
00:01:38,850 --> 00:01:45,720
The switch then performs a lookup on its Mac address table to determine whether it knows which port

23
00:01:45,750 --> 00:01:47,130
to send the traffic to.

24
00:01:47,680 --> 00:01:51,130
And since no matching entries exist in the switches table.

25
00:01:51,820 --> 00:01:57,820
It floods the frame out all of its interfaces except the receiving port.

26
00:01:59,060 --> 00:02:02,930
Because the frame was sent out to all the switches, other ports.

27
00:02:03,050 --> 00:02:05,600
It is received by the target server as well.

28
00:02:06,320 --> 00:02:09,949
Then the server sends a new frame back toward the switch.

29
00:02:10,190 --> 00:02:13,670
The other systems which receive the frame do nothing.

30
00:02:14,860 --> 00:02:21,880
The switch receives the frame and creates a new entry in its Mac address table for the server's Mac

31
00:02:21,910 --> 00:02:22,600
address.

32
00:02:24,120 --> 00:02:30,240
It then performs a lookup of its Mac address table to determine whether it knows which port to send

33
00:02:30,240 --> 00:02:31,740
the server's traffic to.

34
00:02:31,740 --> 00:02:33,720
And in this case it does.

35
00:02:33,720 --> 00:02:40,350
So it sends the return traffic out only on the port of computer A without flooding.

36
00:02:41,720 --> 00:02:46,520
So this process repeats as devices continue to send traffic to each other.

37
00:02:47,030 --> 00:02:54,080
An important detail to remember is that the Mac address table timeout is typically short.

38
00:02:54,380 --> 00:03:00,080
So for example, default timeout duration of Cisco switches is five minutes.

39
00:03:00,080 --> 00:03:07,220
So an entry is left in the table itself only for that specified amount of time before the timeout expires

40
00:03:07,220 --> 00:03:09,560
and the entry is removed from the table.

41
00:03:10,540 --> 00:03:14,560
Let's look at the switching mechanism with a cybersecurity point of view.

42
00:03:14,950 --> 00:03:18,320
The mechanism has two weaknesses in it.

43
00:03:18,340 --> 00:03:25,780
First, when the target Mac address is not in the Mac address table, the frames are flooded out of

44
00:03:25,780 --> 00:03:32,440
all the ports, so unintended systems on the network are capable of sniffing these frames.

45
00:03:32,650 --> 00:03:39,820
The second weakness is that when the Mac address table is full, no new record is accepted.

46
00:03:40,120 --> 00:03:45,820
So what if I fill the table by announcing thousands of fake Mac addresses from a port of the switch?

47
00:03:46,300 --> 00:03:52,840
Most of the switches start to behave like a network hub in such a situation, which means they send

48
00:03:52,840 --> 00:03:55,060
each frame to all of the ports.