09-13-2005 03:36 AM - edited 03-03-2019 12:01 AM
Hi all
In our LAN, we have detected in an specific port of one of our Catalyst 3550, MAC address table for this port increases and decreases quickly showing MAC addresses we don't know (as in our network most of PC MAC addresses are locally administered). We know there are one or 2 hubs connected to this port and a maximum or 30 PCs, but sometimes we see 600 MAC addresses in this port.
Is this behaviour a symptom of a virus or some kind of attack?
Thans in advance
09-14-2005 03:06 AM
There can be great possiblity of a MAC Overflow Attack on the Switch port. Try turning ON the Switchport Security mode to enable learning fewer MAC addresses on the switch port.
Sridhar.
09-14-2005 03:41 AM
This could be one or more stations spoofing MAC addresses.
To mitigate this you can use Port Security (http://cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm to see how) to specify the number of PCs/MACs that can be connected to any single switch port which then blocks the MAC addresses that exceed the specified limit or shuts down the port (this option is sometimes problematic and try and avoid this route).
You can use also MAC Access Lists and VLAN Access Maps to restrict user access. How this is done for the 3550 series is available here: http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml.
There is a very good whitepaper on SAFE Layer 2 Security In-depth that covers these and other options along with best-practices available here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml.
In reality if things are working fine but you are noticing abnormal MAC quantitities, configure port security as above.
Cheers,
Josef.
09-14-2005 03:49 AM
There are programs out there that are designed to generate traffic from different MAC addresses with the aim of bringing down the switch. The way they work is to overflow the forwarding table, at which point the switch becomes a hub, and you can snoop all its traffic. The best known goes by the dubious name of MACOFF. But somehow I don't think that is what is happening - if it was that, then you would be seeing many thousands off MAC addresses, and not just a few hundred.
http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-550.pdf
You say that the PC MAC addresses are locally administered, and that you do not recognise these rogue addresses. But is there any pattern to them? Do you recognise the maker's ID in the first 3 bytes? Here is a web page to help you:
You say there are "one or two" hubs conected to that port, and I find that curious. Is is one, or is it two? Because with 600 addresses, I think it is much more likely that some network topology issue is causing the whole network to be seen behind that port. How many hosts do you have on the LAN altogether? Is it possible that the hub(s) has/have been connect at two different points on your network?
Kevin Dorrell
Luxembourg
09-14-2005 04:38 AM
Thank you all for the responses.
I've already seen port-security feature and applied to that specific port. So now MAC flooding has stopped.
Kevin, regarding what you say about maker's id, curiously first 3 bytes are ramdom, but some patterns repeat in the last 2 bytes and, about "our whole network to be seen behind that port" I think in that case we would see a lot of well-known locally administered MAC addresses in that port, wouldn't we?
I agree with you, if it was a DoS attack we would see thousands of MAC addresses, so we are suspecting on some kind of software (maybe malicious or misconfigured) generating those MAC addresses. Have you seen this before?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide