Which description correctly describes a MAC address flooding attack?

Which description correctly describes a MAC address flooding attack?

Which description correctly describes a MAC address flooding attack?

A.
The attacking device crafts ARP replies intended for valid hosts. The MAC address of the
attacking device then becomes the destination address found in the Layer 2 frames sent by the
valid network device.

B.
The attacking device crafts ARP replies intended for valid hosts. The MAC address of the
attacking device then becomes the source address found in the Layer 2 frames sent by the valid
network device.

C.
The attacking device spoofs a destination MAC address of a valid host currently in the CAM
table. The switch then forwards frames destined for the valid host to the attacking device.

D.
The attacking device spoofs a source MAC address of a valid host currently in the CAM table.
The switch then forwards frames destined for the valid host to the attacking device.

E.
Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM
table space. The result is that new entries cannot be inserted because of the exhausted CAM
table space, and traffic is subsequently flooded out all ports.

F.
Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table
space. The result is that new entries cannot be inserted because of the exhausted CAM table
space, and traffic is subsequently flooded out all ports.

Explanation:
A common Layer 2 or switch attack is MAC flooding, resulting in a switch’s CAM
table overflow, which causes flooding of regular data frames out all switch ports. This attack can
be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of
service (DoS) attack.
A switch’s CAM tables are limited in size and therefore can contain only a limited number of
entries at any one time. A network intruder can maliciously flood a switch with a large number of
frames from a range of invalid source MAC addresses. If enough new entries are made before old
ones expire, new valid entries will not be accepted. Then, when traffic arrives at the switch for a
legitimate device that is located on one of the switch ports that was not able to create a CAM table
entry, the switch must flood frames to that address out all ports. This has two adverse effects:
• The switch traffic forwarding is inefficient and voluminous.
• An intruding device can be connected to any switch port and capture traffic that is not normally
seen on that port.
If the attack is launched before the beginning of the day, the CAM table would be full when the
majority of devices are powered on. Then frames from those legitimate devices are unable to
create CAM table entries as they power on. If this represents a large number of network devices,
the number of MAC addresses for which traffic will be flooded will be high, and any switch port will
carry flooded frames from a large number of devices.
Reference:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html



Leave a Reply 0

Your email address will not be published. Required fields are marked *