The Company network is being flooded with invalid Layer 2 addresses, causing switch CAM tables to
be filled and forcing unicast traffic to be transmitted out all switch ports. Which type of Layer 2
attack is being used here?
A.
MAC spoofing
B.
VLAN hopping
C.
MAC address flooding
D.
DHCP flooding
E.
Session hijacking
Explanation:
Port security is especially useful in the face of MAC address flooding attacks. In these attacks, an
attacker tries to fill up a switch’s CAM tables by sending a large number of frames to it with source
MAC addresses that the switch is unaware of at that time. The switch learns about these MAC
addresses and puts them in its CAM table, thinking that these MAC addresses actually exist on the
port on which it is receiving them. In reality, this port is under the attacker’s control and a machine
connected to this port is being used to send frames with spoofed MAC addresses to the switch. If the
attacker keeps sending these frames in a large-enough quantity, and the switch continues to learn of
them, eventually the switch’s CAM table becomes filled with entries for these bogus MAC addresses
mapped to the compromised port.
Under normal operations, when a machine receiving a frame responds to it, the switch learns that
the MAC address associated with that machine sits on the port on which it has received the response
frame. It puts this mapping in its CAM table, allowing it to send any future frames destined for this
MAC address directly to this port rather than flood all the ports on the VLAN. However, in a situation
where the CAM table is filled up, the switch is unable to create this CAM entry. At this point, when
the switch receives a legitimate frame for which it does not know which port to forward the frame
to, the switch floods all the connected ports belonging to the VLAN on which it has received the
frame. The switch continues to flood the frames with destination addresses that do not have an
entry in the CAM tables to all the ports on the VLAN associated with the port it is receiving the frame on.
Reference: http://book.soundonair.ru/cisco/ch05lev1sec2.html