Home > Tips & How-tos > How to Detect MAC Flooding Attack in your LAN?

How to Detect MAC Flooding Attack in your LAN?

In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The switch records these addresses to its CAM table. When the table is full, the switch cannot look up the right destination port, but to broadcast out on all ports. A malicious user could then use a packet sniffer running in promiscuous mode to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

How to detect if there’s a MAC flooding attack in the network? In this article, I will demonstrate to you with Colasoft Capsa Analyzer.

For detecting MAC flooding attack. Let’s start capture, we start the analysis from the SUMMARY TAB. All these statistics seem right. Except one when we come to the Physical address count. There are more than a hundred thousand MAC addresses discovered in this network. How could this small network have so many machines? Possibly, it is a mac flooding attack.

1

We need to check the addresses in the NOD EXPLORE. Open the physical explorer, and look this number; there are more than 1800 MAC addresses in local segment. It’s abnormal; there is no way that so many machines exist in this network. And apparently, these addresses are not real. We are sure that there are worm activities, or attacks in the network.

2

Let’s see how these nodes are communicating. Open the MATRIX TAB. And we choose Top 1000 physical node matrix type. We see this matrix, what a mess! There are so many nodes communicating, and according to the colors of the line, red means one way transmitting.

3

And we can go to the PHYSICAL CONVERSATION TAB to read that it’s true. Almost all nodes only send one packet out. Most packets are 64 bytes.
We know that all machines in our network are connected with a switch. This looks like a MAC flooding attack.

4

Still, to confirm our prediction, we need to see the original data of the packets they send out. Open the PACKET TAB. We see the delta time between packets is very small, which gives a great pressure to the switch. Almost all packets are 64 bytes. And let’s look at the original data in the packets. Almost all packets are randomly generated by padding same digits in the packets.

5

According to all these behaviors, and decoded information from packets, we are pretty sure that there is MAC flooding in this network. But it’s hard to find the attacker’s address directly because all addresses are forged. However, we can cut some machines off the network to eliminate the innocent machines until we find the target one.
Watch the video tutorial of detecting MAC flooding attack is avaliable at Here!

  1. April 26th, 2010 at 00:45 | #1

    this post is very usefull thx!

  2. April 28th, 2010 at 17:43 | #2

    It’s really well done! Respect to author.

  3. May 2nd, 2010 at 04:40 | #3

    great post as usual!

  4. May 11th, 2010 at 02:35 | #4

    found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later

  5. May 25th, 2011 at 07:32 | #5

    Your instructions are very easy to understand and follow. I also tried to solve this problem by increasing the MAC aging timer to 14400. This worked but again, the problem occurred again. I will try to follow your instructions and I hope it will work. Thanks!

  6. May 29th, 2011 at 09:28 | #6

    Nice post.It helps.

    Where can I find this one NOD EXPLORE?

  7. February 1st, 2012 at 10:28 | #7

    Very attractive component of content. I just stumbled upon your site and I totally appreciate your post especially this one. I desire to learn more issues approximately it! Any way I’ll be subscribing for you Feed and will keep updated.

  8. February 14th, 2012 at 13:06 | #8

    This is very interesting. I never even realized that this kind of MAC flood attack existed. Thanks for the information and if I ever encounter mysterious problems with the LAN at least I have a place to begin to investigate.
    Thanks…

  9. June 17th, 2013 at 07:30 | #9

    nice info for beginner network administrator likes Me,

  1. No trackbacks yet.