What is MAC Flooding? How to prevent it?

By on October 28th, 2016

MAC Flooding

MAC Flooding is one of the most common network attacks. Unlike other web attacks,  MAC Flooding is not a method of attacking any host machine in the network, but it is the method of attacking the network switches. However, the victim of the attack is a host computer in the network. We are going to see what the MAC Flooding is and how can we prevent it.

To proceed further, we need to know what a switch is and how it works.


Network Switches

A network switch is a computer networking device that connects devices together on a computer network. The switches work very similar to the Network hubs but there are significant differences. The switches have computers inside a network connected to it with physical ports. Thus switches form a network. When incoming data arrives a switch, it will forward the data to one or more ports – computers – where the data is intended to reach. A hub is less advanced and they will broadcast the incoming data to all the ports.


Ethernet Frame

An Ethernet frame is a physical layer communication transmission, comprised of 6 fields which are assembled to transmit any higher layer protocol over an Ethernet Fabric.


What is MAC Flooding?

The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch. This table allows the switches to direct the data out of the ports where the recipient is located. As we’ve already seen, the hubs broadcast the data to the entire network allowing the data to reach all hosts on the network but switches send the data to the specific machine(s) which the data is intended to be sent. This goal is achieved by the use of MAC tables The aim of the MAC Flooding is to takedown this MAC Table. In a typical MAC Flooding attack, the attacker sends Ethernet Frames in a huge number. When sending many Ethernet Frames to the switch, these frames will have various sender addresses. The intention of the attacker is consuming the memory of the switch that is used to store the MAC address table. The MAC addresses of legitimate users will be pushed out of the MAC Table.  Now the switch cannot deliver the incoming data to the destination system. So considerable number of incoming frames will be flooded at all ports.

MAC Address Table is full and it is unable to save new MAC addresses. It will lead the switch to enter into a fail-open mode and the switch will now behave same as a network hub. It will forward the incoming data to all ports like a broadcasting. Let’s see what are the benefits of the attacker with the MAC Flooding attack.

As the attacker is a part of the network, the attacker will also get the data packets intended for the victim machine. So that the attacker will be able to steal sensitive data from the communication of the victim and other computers. Usually a packet analyzer is used to capture these sensitive data.

After launching a MAC Flood attack successfully, the attacker can also follow up with an ARP spoofing attack. This will help the attacker retaining access to the privileged data even after the attacked switches recover from the MAC Flooding attack.


ARP Spoofing

The ARP Spoofing is an attack where the attacker sends falsified ARP Messages (Address Resolution Protocol) so that the attackers MAC address will be linked with the IP address of a legitimated user in the network. The Address Resolution Protocol is a protocol used by the Internet Protocol usually by the IPv4 to map the IP address of a machine to a physical address like MAC address, also called Ethernet address.


How to prevent the MAC Flooding Attack?

We can prevent the MAC Flooding attack with various methods. The following are some of these methods.

1) Port Security

2) Authentication with AAA server

3) Security measures to prevent ARP Spoofing or IP Spoofing

4) Implement IEEE 802.1X suites

Port Security

The port security is often used as a counter measure for MAC Flooding attack. The switches are configured to limit the number of MAC addresses that can be learned on ports connected to the end stations. Also a small table of ‘secure’ MAC addresses is maintained with the traditional MAC address table. This table also acts as a subset of the MAC address table. Cisco switches are available with in-built port security system.

Authentication with AAA server

In this method, the discovered MAC addresses are authenticated against an authentication, authorization and accounting server (AAA Server) and these addresses are subsequently filtered

Security measures to prevent ARP Spoofing or IP Spoofing.

Security measures to prevent ARP Spoofing or IP Spoofing in some cases may also perform additional MAC address filtering on unicast packets.

Implement IEEE 802.1X suites

Implementing IEEE 802.1X suites will allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.

These are the methods often used to prevent the MAC Flooding attack.


If you need any further assistance please contact our support department.



5 Responses to “What is MAC Flooding? How to prevent it?”

  1. aman kanaujia says:

    need some more details about port security and rest of the prevention method in description.well,great job.

  2. Aditya Kumar Yadav says:

    Hello Sir, I need more information and sources. to learn about this. i hope you will assist me further.

  3. Isaac, says:

    Thank you for the detailed explanation on MAC Address flooding

  4. Abdulrazaq says:

    Hello sir!
    I need a little bit more info about Port security and AAA Server.

Leave a Reply