3.2 MAC Flooding and Spoofing

MAC Spoofing

changing a device’s MAC address to pretend to be another device

Purpose of MAC Spoofing

bypass security or trick the network into sending someone else’s data

MAC Spoofing Analogy

like wearing someone else’s nametag so the network thinks you’re them

MAC Addresses and NICs

MACs are hardcoded but many drivers allow software-level modification

MAC Flooding

overwhelming a switch with many fake MAC addresses

Effect of MAC Flooding

forces a switch to flood traffic to all ports, acting like a hub

Why Flooding Helps Attackers

broadcast traffic makes data easy to capture

CAM Table Purpose

maps MAC addresses to specific switch ports

CAM Table Attack Behavior

thousands of fake MACs fill the table

Fail-Open State

switch broadcasts all traffic when CAM table is full

MAC Spoofing Sign

same MAC address appears on two different ports

MAC Flooding Sign

many new MAC addresses suddenly appear on one port

Duplicate IP Significance

often indicates MAC spoofing

Flooding Danger

attackers capture sensitive data and network performance degrades

CAM Table Under Attack Sign 1

multiple MAC addresses show up on a single port

CAM Table Under Attack Sign 2

MAC assignments change frequently on one port

Spoofing vs Flooding

spoofing targets a specific identity; flooding affects the entire switch

Signs of Spoofing or Flooding 1

unknown MAC addresses appear

Signs of Spoofing or Flooding 2

multiple MAC addresses on the same port

Signs of Spoofing or Flooding 3

frequent MAC changes on a port

Real-World Analyst Task

monitoring for unusual network activity to prevent damage

Difference: Spoofing vs Flooding

spoofing impersonates; flooding overwhelms the switch

Flooding Impact on CAM Table

CAM table fills up with fake MAC entries

Reason for Duplicate IPs During Spoofing

attacker impersonates an existing device

Signs of MAC Flooding

many MACs on one port; unknown MACs exploding in count

Fail-Open Consequence

switch broadcasts all traffic, exposing sensitive data