What attack technique attempts to fill a switching table so the attackers can capture traffic passing through a switch?
- VLAN hopping
- MAC spoofing
- Rogue device
- MAC flooding
MAC flooding is an attack technique in which frames with unique, but invalid, source MAC addresses flood the switch and exhaust the CAM table space. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports. This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
Two methods of mitigating these attacks are:
- Implementing port security
- Implementing VLAN access maps
VLAN hopping is an attack that allows an attacker to access network resources on a different VLAN without passing through a router. The attacker can create a packet with two 802.1Q VLAN headers on it (called double tagging) and send it to a switch. The switch port will strip off the first header and leave the second. The second header will be seen as the originating VLAN, allowing the attacker access to a VLAN they are not connected to. Executing the switchport mode access command on all non-trunk ports can help prevent this attack. Pruning the native VLAN from a trunk link can also help.
VLAN hopping is a security concern because it can be accomplished without the packet passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs. Techniques to prevent these attacks are:
- Prevent automatic trunk configurations by explicitly turning off Dynamic Trunking Protocol on all unused ports
- Place unused ports in a common unrouted VLAN
MAC spoofing is an attack that allows an attacking device to receive frames intended for a different host by changing an assigned Media Access Control (MAC) address of a networked device to a different one. Changing the assigned MAC address may allow the device to bypass access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly. This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
Layer 2 Technologies
Configure and verify switch administration