How does a MAC address table flooding attack work, and what tool is commonly used?
An attacker uses a tool like macof to flood a switch with thousands of frames containing random source MACs (Media Access Control addresses). Once the MAC table is full, the switch floods all traffic out every port — effectively turning it into a hub, allowing the attacker to sniff all traffic.
* MAC flooding turns the switch into a hub. *
Normal switch operation:
- Switch receives a frame → learns the source MAC and associates it with the ingress port
- Switch forwards the frame only out the port associated with the destination MAC
- This means traffic is isolated — host A can't see traffic between host B and host C
The attack (step by step):
- Attacker connects to a switch port and runs
macof macofgenerates up to 8,000 bogus frames per second, each with a random source MAC- Each fake MAC consumes an entry in the switch's CAM table (Content Addressable Memory)
- A typical switch stores 8,000 to 132,000 MAC addresses (Catalyst 6500 stores 132,000)
- Within seconds, the table is completely full
What happens when the table is full:
- The switch cannot learn any new legitimate MAC addresses
- For any frame with a destination MAC not in the table → switch floods it out all ports on that VLAN (Virtual Local Area Network)
- The attacker can now capture all traffic on the VLAN using a packet sniffer (Wireshark)
Important limitation: Traffic is only flooded within the local VLAN. The attacker can only capture traffic on the VLAN they're connected to.
Mitigation: Port Security — limits the number of MAC addresses that can be learned on a port. If the limit is exceeded, the port can be shut down.
Go deeper:
MAC flooding (Wikipedia) — exhausting the CAM table to force fail-open flooding, and the port-security mitigation.
dsniff suite — macof (Wikipedia) — macof is the canonical tool that floods switches with bogus-MAC frames; the same suite supplies arpspoof.