Which of the following attacks involves overwhelming a switch’s CAM table? (Select the best answer.)
- ARP poisoning
- ARP spoofing
- MAC flooding
- MAC spoofing
A Media Access Control (MAC) flooding attack involves overwhelming a switch’s content addressable memory (CAM) table. Switches and bridges store learned MAC addresses in the CAM table, which is also known as the MAC address table. When the CAM table becomes full, no more MAC addresses can be learned. If a switch receives traffic destined for a MAC address that is not in its MAC address table, the switch floods the traffic out every port except the port that originated the traffic. Consequently, in a MAC flooding attack, an attacker attempts to fill the CAM table so that any further traffic will be sent to all ports. Then, because traffic is flooded out every interface, the attacker can view any traffic that is sent to the switch.
A MAC spoofing attack involves using the MAC address of a legitimate host on the network in order to bypass port security measures, not overwhelming a switch’s CAM table. Normally, the MAC address associated with a host corresponds to the unique, burnedin address (BIA) of its network interface. However, in a MAC spoofing attack, a malicious user virtually modifies the BIA to match the MAC address of the legitimate host on the network. Mimicking the MAC address of a known host can be used to overcome simple security measures such as Layer 2 access control lists (ACLs).
An Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, involves sending gratuitous ARP (GARP) messages to a target host. The GARP messages associate the attacker’s MAC address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go to the attacker’s computer rather than to the intended recipient.