CAM Table Overflow Attack Explained

A switch's job is pretty simple: take the information that comes in from one port and pass it along to another port. Most switches are so good at that job that if a device on Port #1 has something private to say to a device on Port #2, those packets can get passed along without any other ports "hearing" what was said — or even knowing the data got passed at all.

If it's happening on your network, all of that is a good thing. But there are some people who don't think that's good, bad actors who would rather see the content of all those packets. For them, it'd be better if the switch instead broadcast every message that passes through it. Unfortunately for your networks, there's a way to overwhelm a switch so that it broadcasts every message it sees. It's called a CAM table overflow attack.

In this blog post, we'll talk about what CAM table overflow attacks are, why someone might do them, and show you the actual commands to run to set up countermeasures that prevent them.

What is a MAC Address?

Quick Definition: A MAC address, or a Media Access Control address, is a network adapter's unique, hardwired address. Every network-enabled device has a network adapter, which has a MAC address. A MAC address is the physical equivalent to an IP address, which is the network's software address. All devices on the same network subnet have different MAC addresses, and switches store MAC addresses for routing purposes.

What is Content-Addressable Memory (CAM)?

Quick Definition: Content-addressable memory is also known as associative storage. It's a special type of computer memory used in specific use cases. Unlike RAM, CAM compares the search data against a table of stored data and returns the address of any matching data. CAM's most frequent use is in networking devices like routers and most importantly for our purposes  switches. In switches, CAM tables store the MAC addresses for different devices on its ports.

What is a CAM Table Overflow Attack?

Quick Definition: A CAM table overflow attack is a hostile act performed against a network switch in which a flood of bogus MAC addresses is sent to the switch. This flood of data causes the switch to dump the valid addresses it has in its CAM database tables in an attempt to make room for the bogus information. After that happens, a switch's default behavior is to broadcast normally private messages to all ports.

An Overview of a CAM Table Overflow Attack [VIDEO]

In this video, Keith Barker covers CAM table overflow attacks. Keith covers just what this sort of attack against a switch is, why someone would want to do one, and how to prevent it. See a live demonstration of an attack and watch the procedure for mitigation.

How Network Switches Work

A switch on a network inspects every frame that passes through it. This inspection is done not only to make sure the data gets to where it's going, but so that responses to each frame can get to the device that originated it. To understand a CAM table overflow attack, it's helpful to spend some time with this functionality.

When a frame enters the network, the switch inspects it and memorizes the source MAC address. It does that so that future forwarding can be done quickly and transparently. In the future, when frames come in destined for devices the switch already has an address for, the switch can take it, forward it on the back plane of the switch and put it right at the port. All the other ports don't get to see those frames.

Imagine a switch with three ports of interest to us. Laptop A (Port #1) is looking to get to Laptop B (Port #2). The switch has already stored their MAC addresses, so if a frame comes in from port #1 destined for port #2, the switch can forward it directly and privately. But imagine that there's an eavesdropper PC on port #3. That eavesdropper wants to see every single frame and will need to trick the switch in order to get them.

Why Do CAM Overflow Attacks Work?

CAM overflow attacks work on the principle that switches only can memorize so many MAC addresses. How many addresses one switch can memorize changes on the switch? Maybe 3,000 to 6,000. Some switches might even go higher than that, but they certainly can't memorize 100,000 or 150,000. At some point, a switch runs out of space and that's what a CAM overflow attack exploits.

A switch's default behavior makes sense from a normal, healthy network operations perspective: it drops old addresses for new ones. After all, if it has been so long that 4,000 new MAC addresses have come through the switch, the devices they're attached to must be gone. Except during a CAM table overflow attack, they're coming from a hostile actor. If our eavesdropper wanted to launch an attack, he could send 100s of 1000s of frames, all with random and bogus source MAC addresses, into the switch.

In a frantic attempt to remember all the new MAC addresses that are flooding into the switch, the switch first fills up all the memory it has in its content-addressable memory space. And then, when it has no more room, it drops the addresses for Laptop A and Laptop B. It no longer remembers where to find either device.

The eavesdropper leaves the attack running, and now as the switch gets frames from Laptop A for Laptop B, the switch has to make a hard decision. It doesn't know where Laptop B is, but has to forward the message to it. The best solution for the switch is to broadcast the message to all ports. Hopefully, one of them is Laptop B.

What happens at that point is that Laptop A's frame goes to not only the intended port, but all other active ports in that same VLAN. That means our eavesdropper can successfully "listen in" on every packet that switch sees.

How to Set Up a CAM Overflow Attack

Now that we understand what a CAM overflow attack is, why someone might want to do one, and the mechanism that makes them possible, we're going to walk through preventing them. The first step is always to get a good baseline, then we'll want to run an actual CAM overflow attack.

We always recommend using a virtualized network to practice on any time you're practicing network maintenance. But that's doubly true when you're doing simulated network attacks. Never practice anything like network attacks on a live network. In our case, we're working in a virtualized environment with three switches that are trunked together.

MAC addresses that show up on one switch from a client go through the trunk and show up on other switches as well. What we want to do is inspect how many MAC addresses each of our switches could memorize. To do that, go to the console for the first switch. Once there, type:

show mac address-table count

This will show you a table of information about the address-table that switch has at its disposal. What we're looking for is toward the bottom of the table. What is the Total Mac Address Space Available? In the switch we're using, we see that it's using five MAC addresses on VLAN 1 and has 5,082 addresses available.

If this is a new process to you, you might repeat this process on the other switches you have and test what VLANs they're servicing, how many MAC addresses are being used and how many they have available.

How to Perform a CAM Overflow Attack

We obviously have control of the machine we'll be launching our CAM table overflow attack from, and we'll now go to its console to run the attack. In our case, it's on Port #3 on switch #1, but the switches are trunked together.

To perform our CAM overflow attack, we're running a utility called macof. The utility's help functionality can be accessed by typing:

macof -h

This outputs a few different options. In our case, we're looking for "-i interface" because we want to specify the interface we're going to use. Otherwise, we can let it choose random numbers for everything else.

When we tell it to begin, this utility will spit out 10s of 1000s of frames — all sourced from random, bogus MAC addresses with no intent of getting anything back. Doing that will saturate the switch. Here's what we type to run our CAM overflow attack:

macof -I eth0

Please keep in mind: we are practicing on a closed track. Everything we're describing here we did on a lab network, not a production network. Always be cautious: do everything you can to ensure you never attack anybody unintentionally. The only way to be sure of that is to always practice on a closed track, on your own equipment.

The Damage From CAM Overflow Attacks

If we go back to either of our switches, we'll find they're hurting. In any switch's console, type:

show mac address-table count

This is the same command we entered before our CAM overflow attack, so the table should be familiar. Except it now tells us that "Total Mac Address Space Available" is 0 – none. We can even repeat that command on our other trunked switches and see that none of them have any mac address space available.

What that means is that on that hypothetical network, any new frames that pass through that network will not be unicast to their recipient, they'll be broadcast. That switch has become a candidate for an eavesdropping attack because it no longer knows where any devices live on any of its ports.

Opportunities for eavesdropping isn't the only consequence of a CAM table overflow attack. Another side effect to overwhelming the switch is to get it to the point that it seizes up and goes down. If the switch can't handle so many inbound requests well, it can result in a Denial of Service attack.

Our objectives in this post were identify what a CAM table overflow attack is, why it works, and how to prevent it. We now see that a CAM table overflow attack is what you get when more MAC addresses than a switch can remember are sent. As a result, the switch doesn't know where valid hosts live, and the switch instead reverts to a broadcast – making communications open to be intercepted. Now let's explore how easy it is to prevent one.

How to Prevent a CAM Table Overflow Attack

The most reliable way to prevent a CAM table overflow attack is also the easiest: don't turn on your switch. It seems too simple to be true, but if your switch is never powered on, you can't be the victim of a CAM table overflow attack.

Now, some people might poke holes in that. Some people just can't be pleased. They'll want to both have their switches powered on and also prevent CAM table overflow attacks. Joking aside, the second-most reliable way to prevent a CAM table overflow attack is also very easy. The actual way to prevent a CAM table overflow attack is to instruct each port that there's a limit to how many MAC addresses it can have, and that's done with port security.

Port security can tell each of the ports that you configure it on that the port should only memorize a maximum number of MAC addresses. The default is 1, but it's not a bad idea to set the limit at 5. Some devices or machines may need additional MAC addresses.

But whatever the limit, when we instruct each port that there is a maximum, if it tries to go beyond that limit, the switch will shut down the port. That solves the problem of a CAM table overflow attack.

Port security has lots of bells and whistles, so-called "nerd knobs" that we can tweak and turn. We won't go into the customizations, because the bottom line is the most important for us here: by telling the switch not to learn so many MAC addresses on each individual port, we mitigate a CAM table overflow's attack method of overwhelming the switch.

To implement it, we'll need to be on our switch's console. Once there, we'll be focusing on port gig 0/3 because we happen to know that's where our offending machine is coming in from. Start by going into interface configuration mode by typing:

configure terminal

Then into our gig 0/3's interface mode by typing:

int g 0/7

A good first thing to do is shut down the port and bring it back up. That's just to flush out all the MAC addresses that were learned on that port. This is also called bouncing the port. Bounce the port by typing:

shutdown

no shutdown

Port security also requires that the port be administratively configured as an Access Port. Our next step, then, is to configure the port as an access port by typing:

switchport mode access

Next, we want to set the maximum number of MAC addresses to 5. Although the default is 1, with virtual machines and other tools we might want to have some wiggle room. Set the maximum number by typing:

switchport port-security maximum 5

You might think that's all it takes. But many people forget the final step: enable the feature itself. To do that takes typing the switchport port-security command with no options:

switchport port-security

Once it's enabled, verify it by typing:

do show port-security

Note: This resembles the command we gave earlier, but we use "do" because we're in configuration mode – the command from privileged mode would just be "show port-security".

This outputs a table that tells us we have Port Security configured on Gi0/3 and the maximum MAC addresses is 5. The same table shows that the current MAC address is 0. And the action – if we were to see a security violation – is to shut down.

Exit that terminal's config mode and config altogether by typing:

exit

exit

When CAM Overflow Attacks Fail

Now that we've implemented port security and limited the maximum number of MAC addresses our ports can give out, we can go back and launch the attack one more time. This time we should have much different results.

In our device running macof, type:

macof -I eth0

How you get alerted to the attack will depend on your console management GUI. In our case, our Switch #1 console lit up to tell us that there was console information available.

Depending on what your own GUI does to inform you of such an error, heading to the switch in question should reveal a console message. Ours told us that a port security violation had occurred. The particular message told us that Gi0/3 was in error-disabled state because of a port-security violation. If you're looking for details on the port-security issues, you can type:

show port-security

That will show details about what's currently happening with that port. The table looks familiar, except "SecurityViolation" has changed to 1. Now, if we kept repeating this simulated attack by bringing the switch on and then letting it get shut down, that number would keep counting, ticking up each time.

If we wanted to see details about all the ports that were currently in error disabled state, we could so by typing:

show inter status err-disabled

The table we see after typing that tells us that only one port is "err-disabled" because of a "psecure-violation". Port security did its job and stopped the same previously successful CAM overflow attack in its tracks.

Wrapping Up

This post covered only the bare essentials about what a CAM table overflow attack is, why it's done and how to prevent one. There is a lot more to learn about network security and penetration testing methods. Learn how to (start link) perform white hat hacking with CBT Nuggets' 127 videos or study for the (ISC)² CISSP certification.