1. Introduction

In this tutorial, we’ll look into the MAC Flooding and MAC Cloning attacks, how they work, their goal, and how to protect our networks from them. We’ll follow a case where an attacker tries to flood the network and one where they try to clone a MAC address and see how they both are done step by step.

2. Switched LAN Network

Since these attacks target switched LAN networks, let’s quickly examine how such a network generally works.

In a switched network, each device (e.g., computer, server, printer) is connected to a switch. This switch is responsible for keeping track of which device is connected to each port by maintaining a table called the “MAC Address Table”, which maps each device’s MAC address to the corresponding switch port. The MAC address is globally unique for each component, and every entity inside the network has a different hardwired address given by its manufacturer.

When a device on the network wants to communicate with another, it sends an Ethernet frame containing, among other information, the source MAC address and the destination MAC address. The switch receives this frame and uses the destination MAC address to pinpoint the correct port in the MAC Address Table. It then forwards the frame out of that port, and the two devices communicate this way.

3. What Are MAC Flooding and MAC Cloning?

The attacker connects to a switch port and sends many fake Ethernet frames, each containing a different source MAC address but the same destination MAC address. The goal of this step is to flood the switch’s MAC address table with fake MAC addresses in order to fill up the table and force the switch into fail-open mode:

gains access MAC address table before

The switch learns the MAC addresses by adding them to its MAC Address Table, but since the attacker uses many different fake addresses, the table quickly fills up. This is why all the MAC addresses the attacker sends must be different for the attack to succeed because if only a set of addresses were used, the MAC Address Table might be able to hold them all without overflowing:

The attacker sends a large number of Ethernet frames with different MAC addresses. The MAC Address Table after the attacker intervention. The table is now full and cannot add new addresses, the switch is therefore in fail-safe mode

When the MAC address table is full, the switch enters a “fail-open” mode, where it starts forwarding frames to all ports instead of using the table to determine the correct port. Once the MAC address table is full, the switch can no longer use to determine the correct port to forward a frame to. Instead, it starts forwarding all frames to all ports, which causes network congestion and can disrupt network communication:

compromised

The attacker can now send information to any device on the network, disrupting network communications and even stealing information from outgoing or incoming frames. Now that the attacker has forced the switch into a fail-open mode, they can send frames to any device on the network. This can disrupt network communication and potentially allow the attacker to steal sensitive information, as they can intercept frames meant for other devices on the network. This, of course, depends on other security measures on the network, such as packet encryption.

4.2. MAC Cloning Attack

Now let’s take a look at a MAC Cloning attack to see how it works and try to figure out the differences it would have from a MAC Flooding one:

The attacker monitors network traffic to identify a legitimate device on the network. The attacker monitors network traffic to identify a legitimate device on the network that they want to impersonate. This could be a device with elevated privileges or access to sensitive information:

gains access

The attacker spoofs the MAC address of the legitimate device and connects to the network. This allows the attacker to impersonate the legitimate device and potentially gain access to its privileges or sensitive information:

spoof diagram

The attacker can now intercept and modify network traffic sent to and from the legitimate device. Now that the attacker has successfully impersonated the legitimate network entity, they can intercept and modify network traffic for that device. This allows the attacker to read on-the-wire information or write their data in the frames:

spoof

The attacker can also use this access to launch further attacks on other devices on the network. Finally, the attacker can use the access they gained by impersonating the legitimate device to launch further attacks on other devices on the network, be it injecting malicious code, performing man-in-the-middle attacks, trying to elevate their privileges, or gaining user access on servers or other machines and so on.

These two types of attacks, MAC Flooding and MAC Cloning, can come one after the other. Meaning that if one is successful, the attacker can use their elevated privileges to launch the other, depending on the purpose of their meddling with the network.