CAM Table Overflow Attack

CAM Table Overflow Attack

A switch’s Content Addressable Memory (CAM) table contains MAC addresses that can be reached, organized by the port where they have been learned, as well
as the associated VLAN ID. The CAM table can hold a finite number of entries depending on switch model. For example, many 2900 series Catalyst switches are designed to contain as many as 4,096 entries, whereas higher-end switches such as the 6500 series Catalyst switches can contain many tens of thousands of entries. Switches learn these MAC addresses by analyzing the source address of Ethernet frames that arrive on a particular port.

A CAM table overflow attack leverages this simple process by injecting thousands of frames with bogus source MAC addresses on a single port. An example of such a utility is macof. When the CAM table reaches capacity with these bogus MAC addresses, older, legitimate MAC addresses are pushed out of the CAM table.
Subsequent frames whose destination address is the MAC address of a legitimate host are flooded out all of the switch’s ports as with any unknown unicast traffic.
Attackers, listening on any port, will be able to capture a flood of traffic that they would not normally see. For example, frames encapsulating sensitive traffic that are destined to a network server might be visible by the attacker.

CAM Table Overflow Attack Mitigation: Port Security

This type of attack can be mitigated by configuring port security. Port security is explained in the “Configuring Port Security” section to follow.

Arguably, you could configure port security to statically hard code the MAC addresses permitted on each switch port, but such a solution would be unmanageable and unscalable.

MAC Address Spoofing Attack

In a MAC address spoofing attack, an attacker injects frames into a switch port with the source address of a known host. Assuming that the spoofed host is not transmitting, this causes the switch to send frames that would normally be destined to the spoofed host’s switch port to the attacker’s switch port instead. Again, the attacker is leveraging the switch’s learning process.

MAC Address Spoofing Attack Mitigation: Port Security

This attack also can be mitigated with port security. Port security is explained in the following “Configuring Port Security” section.

Configuring Port Security

Essentially, port security enables you to configure a switch port to allow specific statically-assigned MAC addresses or to set a maximum for the number of MAC addresses learned on that port. For example, setting a finite number of MAC addresses that can be learned on a port would effectively mitigate a MAC address spoofing attack. As another example, a CAM table overflow attack could be mitigated by using port security to define specific MAC addresses that can be

reached by a specific port, thus limiting the scope of flooding of unknown unicast traffic. Furthermore, port security can be tuned as to what action will be performed when that maximum has been reached or when a MAC address doesn’t match the statically assigned MAC address(es). The switch could be configured to

  • Send an alert to the console or a logging server.
  • Simply not accept the violating frame.
  • Shut down the port altogether.
  • Perform a combination of these actions
Cisco recommends that a port be shut down when a violation occurs because it will probably be eventually disabled anyway if an attack creates too much load. Also, port security cannot be configured on trunk ports because it is only appropriate on access ports.

Port Security Basic Settings

Because port security is only applicable to access ports (and not trunks), you need to enable a port for access mode. Use this interface command:

Port Security Optional Settings

By default, when you enable port security on a Catalyst switch port, it will learn a maximum of 132 secure MAC addresses; the violation mode (that is, the action it will take if there is a violation) is to send an alert. The following optional settings tune the configuration.

If you are asked in the exam what the port security defaults are for a Catalyst switch port, the right answer is that a maximum of 132 secure MAC addresses are learned on a switch port. In reality, the default for the maximum number of secure MAC addresses is dependent on the model of the switch. For example, a Catalyst 2960 defaults to a maximum of one secure MAC address when port security is enabled on a port.

To set a maximum number of MAC addresses that can be learned on a port, use the switchport port-security maximum command. For example, the following
command allows a maximum of 32 addresses to be learned on a port:
Catalyst1(config-if)#switchport port-security maximum 32 To set the violation mode for the port, use this command:
switchport port-security violation {protect | restrict | shutdown | shutdown vlan}
The following is a detailed explanation of the command’s syntax:

  • protect: When the maximum number of secure MAC addresses configured on a port is reached, subsequent frames are silently dropped (that is, no notification) until the number of MAC addresses learned falls back below the maximum.
  • restrict: Same as protect, except a notification of the violation is sent. If you have Simple Network Management Protocol (SNMP) set up, a trap
    is sent to the SNMP Network Management Station (NMS). If syslog is set up, a syslog message is logged. The violation counter is also incremented.
  • shutdown: This setting will shut down the port on which the violation occurred. The port is put in an error-disabled state and the port LED is extinguished. It also sends an SNMP trap and/or syslog message per the restrict option.
  • shutdown vlan: Same as shutdown, but the switch port will only be put in an error-disabled state for the VLAN in which the violation occurred.

In this example, the switch’s port will be error-disabled for frames for VLAN 5 if there has been a violation in that VLAN:
Catalyst1(config-if)#switchport port-security violation shutdown vlan 5 Port security can be configured to allow only specified MAC addresses to use a port. The switchport port-security mac-address command needs to be entered for every secure MAC address; for example:
Catalyst1(config-if)#switchport port-security mac-address 0013.b638.8567 Sticky learning means that designated MAC addresses learned on a switch port can be configured to age out more slowly than other dynamically learned entries. They are harder to get rid of; thus, they are sticky. To enable sticky learning of secure MAC addresses on a port, you can use this command:
Catalyst1(config-if)#switchport port-security mac-address sticky

In this manner, the secure MAC addresses are designated as sticky; thus, they remain in the running configuration on the switch. You also can define how long the secure addresses that are learned on a switch port stay in the CAM table. The command to configure this is the switchport port-security aging command:
switchport port-security aging {static | time time | type {absolute | inactivity}}
The command options are as follows:

  • static: Enables aging for static secure MAC addresses on this port.
  • time: Specifies the aging time for this port (0 to 1,440 minutes). If set to 0, aging is disabled.
  • type absolute: Sets the aging type to absolute. After the time specified
    expires, all secure MAC addresses are removed from the secure address list.
  • type inactivity: Sets the aging type to inactivity. After the time specified expires, all secure MAC addresses are removed from the secure address list.
    For example, if you wanted secure MAC addresses to age out of the CAM table after 100 minutes of inactivity, you could type this command:

Port Security Verification

To verify port security, you can use the show port-security command or the show port-security interface interface-id command. Here are some examples of the output of these commands:

In the output of the show port-security command, port security is enabled on port Gig0/1 with a maximum MAC address count of 32. There have been 29 MAC addresses learned on the port, and there have been no violations. The aging time (we set this previously) is set to 100 minutes, and the aging type is inactivity. The output of the show port-security interface gigabitEthernet 0/1 command indicates that a policy violation has occurred because the port has been

A port that is in an err-disabled state is one that has been disabled due to a port security violation. There are two ways to bring a port out of the err-disabled state, as follows:
  • Enter the errdisable recovery cause psecure-violation command in global configuration.
  • Alternatively, you can manually re-enable the specific port by toggling it with the
    shutdown and no shutdown interface configuration commands. placed in a secure-down status.

To view all the secure MAC addresses on all interfaces, you can use the show port-security address command. If you want to see the secure MAC addresses learned on one specific interface, you can use the show port-security interface interface-id address form of the command. Both forms of the command also show you the aging information for each address. Here’s an example:

Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6272
In the example, port GigE0/1 is in VLAN 10 and has a secured MAC address of 0000.e3fd.39ca. The device with that MAC address can use port GigE0/1, and there is a remaining age of 99 minutes for that entry.

About the author


Leave a Comment