Which description correctly describes a MAC address flooding attack?
A.
The attacking device crafts ARP replies intended for valid hosts. The MAC address of the
attacking device then becomes the destination address found in the Layer 2 frames sent by
the valid network device.
B.
The attacking device crafts ARP replies intended for valid hosts. The MAC address of the
attacking device then becomes the source address found in the Layer 2 frames sent by the
valid network device.
C.
The attacking device spoofs a destination MAC address of a valid host currently in the
CAM table. The switch then forwards frames destined for the valid host to the attacking
device.
D.
The attacking device spoofs a source MAC address of a valid host currently in the CAM
table. The switch then forwards frames destined for the valid host to the attacking device.
E.
Frames with unique, invalid destination MAC addresses flood the switch and exhaust
CAM table space. The result is that new entries cannot be inserted because of the
exhausted CAM table space, and traffic is subsequently flooded out all ports.
F.
Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM
table space. The result is that new entries cannot be inserted because of the exhausted
CAM table space, and traffic is subsequently flooded out all ports.
Explanation:
A common Layer 2 or switch attack is MAC flooding, resulting in a switch’s CAM table
overflow, which causes flooding of regular data frames out all switch ports. This attack can
be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of
service (DoS) attack.
A switch’s CAM tables are limited in size and therefore can contain only a limited number of
entries at any one time. A network intruder can maliciously flood a switch with a large
number of frames from a range of invalid source MAC addresses. If enough new entries are
made before old ones expire, new valid entries will not be accepted. Then, when traffic
arrives at the switch for a legitimate device that is located on one of the switch ports that was
not able to create a CAM table entry, the switch must flood frames to that address out all
ports. This has two adverse effects:
+ The switch traffic forwarding is inefficient and voluminous.
+ An intruding device can be connected to any switch port and capture traffic that is not
normally seen on that port.
If the attack is launched before the beginning of the day, the CAM table would be full when
the majority of devices are powered on. Then frames from those legitimate devices are
unable to create CAM table entries as they power on. If this represents a large number of
network devices, the number of MAC addresses for which traffic will be flooded will be high,
and any switch port will carry flooded frames from a large number of devices.
Reference:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html