The macof command allows launching devastating MAC flooding attacks against network switches and infrastructure. In skilled hands, macof enables comprehensive testing of layer 2 defenses. However, in the wrong hands, it can wreak havoc on networks.
This advanced guide will cover multiple techniques for precisely wielding the macof command, analyzing its packet structure, exploring trending attack vectors, and securing equipment against its capabilities.
Anatomy of a MAC Flood
To understand why the macof command is so disruptive, you need to comprehend how MAC flooding impacts switch operations at a technical level.
Ethernet switches maintain a table that maps MAC addresses to physical ports, allowing them to intelligently forward frames only to the destination port. This MAC address table is organized as a hash table, allowing quick lookups to find the correct port for each destination MAC address.
Diagram showing structure of switch MAC address table [Source: Fortinet]
However, hash tables have a limited number of buckets to hold addresses before collisions occur, overflowing the table. By bombarding the switch with fake MAC addresses, macof triggers excessive collisions, filling the entire table.
Once full, the switch enters failopen mode, broadcasting packets to all ports like a simple hub. This both enables sniffing communications and causes service disruptions from excessive port traffic.
Modern switches utilize more advanced data structures like binary trees to handle millions of MAC addresses. Still, macof can overwhelm even these, especially when targeting specific devices instead of blanket flooding.
Crafting Malicious Frames with Macof
The macof command allows customizing the structure of generated packets to mimic legitimate frames and avoid detection by intrusion systems.
By default, macof sends a continuous stream of frames at one frame per second to the target switch. However, the -n option allows burst transmission of up to 65,535 frames per execution.
Diagram showing anatomy of macof generated frame [Source: Fortinet]
As seen above, macof allows specifying source and destination IP addresses plus TCP ports to craft packets appearing to originate from valid devices. Furthermore, the interface specified with -i determines the source MAC address.
This presents opportunities for integrating macof flooding with ARP cache poisoning. By poisoning the ARP table to map a victim device’s IP to the attacker’s MAC, macof frames will spoof that device’s MAC address when flooding the switch.
Similarly, attackers can specify the target device’s actual MAC address via the -e option so flooding traffic replicates their address, disrupting connectivity. Such surgical application of macof leveraging ARP attacks paralyzes individual devices efficiently.
MAC Flooding & VLAN Hopping for Maximum Chaos
While traditional MAC flooding impacts a single VLAN, advanced attackers can amplify its effectiveness using VLAN hopping. This allows MAC flooding to transcend VLAN barriers and impair multiple network segments.
By forcing trunk ports into failopen state via MAC flooding, attackers can send frames with spoofed VLAN tags to traverse VLAN boundaries. This grants visibility and access into private management and user VLANs alike.
Furthermore, once MAC flooding has compromised a trunk port, sending frames with duplicate VLAN IDs enables carrying out “DHCP starvation” attacks simultaneously. This rapidly depletes available IP addresses in all afflicted VLANs, denying internet access to devices. Such multi-layer attacks incorporate layer 2 MAC flooding with layer 3 DHCP exhaustion for maximized impact.
Integrating MAC flooding with VLAN hopping demonstrates the immense risk of allowing these layer 2 attacks to succeed. Defending VLAN boundaries requires securing trunk ports against MAC table overflows.
Rapid Growth of Layer 2 Attacks
While MAC flooding attacks are not new, improvements in attack toolkits like macof have contributed to an alarming surge of layer 2 attacks in recent years:
-
6x increase in layer 2 attacks between 2018 and 2021 according to ENISA
-
Layer 2 attacks comprised 20% of all network attacks in 2020 per Fortinet
-
Gartner estimates over 70% of threats now target layer 2 infrastructure
Driven by the pervasive adoption of switches over hubs and the ubiquity of Ethernet, Layer 2 attacks leverage the complexity of modern network infrastructure against itself. The interdependencies between the link layer and IP make it trivial to trigger cascading failures from a single compromised switch.
The steep rise of MAC flooding and similar attacks also correlates to the expanding attack surface of edge networks. The massive influx of Internet of Things (IoT) devices increases the strain on layer 2 equipment. Most IoT devices lack robust security, making them susceptible to compromise and incorporation into swarm-based attacks.
As attackers tire of continually cracking endpoints protected by updated antivirus, they turn to fragile network gear to maximize disruption. The intrinsic interconnectedness of Layer 2 makes it the frontline weak point on modern networks.
Harnessing Scapy to Automate Powerful MAC Flooding
While macof provides simple command-line flooding, advanced users can leverage Scapy for added customization and scripting of attacks.
Scapy represents networks stacks as Python objects, allowing constructing and transmitting arbitrary packets. The following snippet crafts malicious frames and sends them in rapid bursts to overwhelm switch CAM tables:
from scapy.all import *
# Interface connected to switch
iface = "eth1"
# Target device MAC address
target_mac = "00:0c:29:8d:dd:c9"
for x in range(10000):
frame = Ether(src=RandMAC(), dst=target_mac)
frame /= IP(src=RandIP(), dst=RandIP())
frame /= TCP()
sendp(frame, inter= .001, iface=iface)This script generates 10,000 frames with randomized header values at millisecond intervals. The rapid flooding will crash most switches.
Automation allows scaling attacks significantly compared to manual macof usage. Moreover, scripts craft packets providing source IP and MAC spoofing, avoiding detection as flooding traffic.
Securing Layer 2 Environments Against MAC Table Overflows
While MAC flooding can seem unstoppable, several controls can reduce the risk of takeover:
Port Security
Enable port security policies to restrict MAC addresses. After tables fill, new unapproved MACs will shutdown the port.
MAC Address Locking
Lock MAC table entries to specific ports so they persist even during attacks. This reduces the overflow surface area.
MAC Activity Tracking
Analyze MAC trends with historical visibility to detect rapid learning indicative of an attack.
Advanced Flood Defender
Use updated switch firmware with advanced detection and auto-quarantine of suspected flooding sources.
Network Infrastructure Monitoring
Actively monitor switch CPU, memory, MAC tables, and port traffic in real-time to catch attacks early.
VLAN Segmentation
Divide network into smaller VLANs so only one segment is impacted by a breach of flooding defenses.
Switch Redundancy
Deploy redundant switches so that if the primary switch fails open, the secondary unit maintains connectivity.
Conclusion
The macof command enables launching devastating MAC flooding attacks to overwhelm layer 2 networks. Harnessing macof safely requires in-depth understanding of its inner workings and potential attack vectors.
Network security teams must actively monitor infrastructure for indicators of MAC flooding and have defenses ready to quarantine and respond to attacks. Carefully securing the lower OSI layers is essential to preventing wholescale network failures.
With knowledge, vigilance, and preparation, one can thwart macof misuse and prevent disastrous loss of availability and confidentiality.
