1
00:00:01,040 --> 00:00:05,270
‫atIon of a Mac flood is to make a switch behave like a hub.

2
00:00:05,930 --> 00:00:10,340
‫As I mentioned before, a hub sends the packet it receives to all of its ports.

3
00:00:11,240 --> 00:00:17,510
‫However, a switch sends the packet only to the target system so we can make the switch behave like

4
00:00:17,510 --> 00:00:17,990
‫a hub.

5
00:00:18,620 --> 00:00:24,740
‫Then it would send a packet to all of its ports, and I could listen to the traffic even though I'm

6
00:00:24,740 --> 00:00:25,580
‫not the target.

7
00:00:26,750 --> 00:00:33,050
‫In a Mac flooding attack within a very short time, the Switches Mac address table is full with fake

8
00:00:33,050 --> 00:00:34,700
‫Mac address and port mappings.

9
00:00:35,510 --> 00:00:41,210
‫Once the Switches Mac address table is full and it cannot save anymore, Mac addresses, it generally

10
00:00:41,210 --> 00:00:46,260
‫enters into a fail open mode and it starts behaving like a network hub.

11
00:00:47,090 --> 00:00:53,090
‫Ethernet switches uses Mac address tables to determine where to forward traffic on a LAN.

12
00:00:53,720 --> 00:01:00,380
‫So let's go step by step to understand how the Mac address table is built and used by an Ethernet switch

13
00:01:00,920 --> 00:01:04,280
‫to help traffic move along the path to its destination.

14
00:01:05,240 --> 00:01:10,790
‫Now, suppose that all of the devices connected to the Switch are powered on, but have not seen any

15
00:01:10,790 --> 00:01:11,510
‫traffic yet.

16
00:01:12,170 --> 00:01:15,530
‫In this case, the Mac address table of the Switch would be empty.

17
00:01:16,840 --> 00:01:20,830
‫Now, suppose Computer A wants to send traffic to the server.

18
00:01:22,110 --> 00:01:26,580
‫It prepares an Ethernet frame and it sends it off toward the switch.

19
00:01:27,510 --> 00:01:34,620
‫The first thing the Switch would do when receiving the traffic is to create a new entry in its Mac address

20
00:01:34,620 --> 00:01:36,150
‫table for computers.

21
00:01:36,150 --> 00:01:37,950
‫Mac address makes sense.

22
00:01:39,180 --> 00:01:45,780
‫The Switch then performs a lookup on its Mac address table to determine whether it knows which port

23
00:01:45,780 --> 00:01:46,980
‫to send the traffic to.

24
00:01:47,830 --> 00:01:50,950
‫And since no matching entries exist in this Switch's table.

25
00:01:52,100 --> 00:01:57,680
‫It floods the frame out all of its interfaces, except the receiving port.

26
00:01:59,270 --> 00:02:05,030
‫Because the frame was sent out to all this, which is other ports, it is received by the target server

27
00:02:05,030 --> 00:02:05,450
‫as well.

28
00:02:06,560 --> 00:02:12,650
‫Then the server sends a new frame back toward the switch, the other systems which receive the frame

29
00:02:12,950 --> 00:02:13,520
‫do nothing.

30
00:02:15,040 --> 00:02:21,970
‫The switch receives the frame and creates a new entry in its Mac address table for the server's Mac

31
00:02:21,970 --> 00:02:22,400
‫address.

32
00:02:24,300 --> 00:02:30,300
‫It then performs a lookup of its Mac address table to determine whether it knows which port to send

33
00:02:30,300 --> 00:02:31,470
‫the server's traffic to.

34
00:02:32,040 --> 00:02:39,750
‫And in this case, it does, so it sends the return traffic out only on the port of Computer A without

35
00:02:39,750 --> 00:02:40,170
‫flooding.

36
00:02:42,020 --> 00:02:48,950
‫So this process repeats as devices continue to send traffic to each other, an important detail to remember

37
00:02:49,250 --> 00:02:53,870
‫is that the Mac address table timeout is typically short.

38
00:02:54,680 --> 00:02:59,930
‫So, for example, the default timeout duration of Cisco switches is five minutes.

39
00:03:00,290 --> 00:03:07,070
‫So an entry is left in the table itself only for that specified amount of time before the timeout expires.

40
00:03:07,400 --> 00:03:09,410
‫And the entry is removed from the table.

41
00:03:10,740 --> 00:03:14,340
‫Let's look at this switching mechanism with a cyber security point of view.

42
00:03:15,240 --> 00:03:18,210
‫The mechanism has two weaknesses in it.

43
00:03:18,540 --> 00:03:25,830
‫First, when the target Mac address is not in the Mac address table, the frames are flooded out of

44
00:03:25,830 --> 00:03:26,890
‫all the ports.

45
00:03:26,910 --> 00:03:32,190
‫So unintended systems on the network are capable of sniffing these frames.

46
00:03:33,000 --> 00:03:39,510
‫The second weakness is that when the Mac address table is full, no new record is accepted.

47
00:03:40,440 --> 00:03:45,600
‫So what if I fill that table by announcing thousands of fake Mac addresses from a port of the switch?

48
00:03:46,560 --> 00:03:52,890
‫Most of the switches start to behave like a network hub in such a situation, which means they send

49
00:03:52,890 --> 00:03:54,810
‫each frame to all of the ports.