Re: MAC add table increasing, attack?

jolmo · ‎09-13-2005

Hi all

In our LAN, we have detected in an specific port of one of our Catalyst 3550, MAC address table for this port increases and decreases quickly showing MAC addresses we don't know (as in our network most of PC MAC addresses are locally administered). We know there are one or 2 hubs connected to this port and a maximum or 30 PCs, but sometimes we see 600 MAC addresses in this port.

Is this behaviour a symptom of a virus or some kind of attack?

Thans in advance

sridharvaidyanathan · ‎09-14-2005

There can be great possiblity of a MAC Overflow Attack on the Switch port. Try turning ON the Switchport Security mode to enable learning fewer MAC addresses on the switch port.

Sridhar.

Josef Oduwo · ‎09-14-2005

This could be one or more stations spoofing MAC addresses.

To mitigate this you can use Port Security (http://cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm to see how) to specify the number of PCs/MACs that can be connected to any single switch port which then blocks the MAC addresses that exceed the specified limit or shuts down the port (this option is sometimes problematic and try and avoid this route).

You can use also MAC Access Lists and VLAN Access Maps to restrict user access. How this is done for the 3550 series is available here: http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml.

There is a very good whitepaper on SAFE Layer 2 Security In-depth that covers these and other options along with best-practices available here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml.

In reality if things are working fine but you are noticing abnormal MAC quantitities, configure port security as above.

Cheers,

Josef.

Kevin Dorrell · ‎09-14-2005

There are programs out there that are designed to generate traffic from different MAC addresses with the aim of bringing down the switch. The way they work is to overflow the forwarding table, at which point the switch becomes a hub, and you can snoop all its traffic. The best known goes by the dubious name of MACOFF. But somehow I don't think that is what is happening - if it was that, then you would be seeing many thousands off MAC addresses, and not just a few hundred.

http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-550.pdf

You say that the PC MAC addresses are locally administered, and that you do not recognise these rogue addresses. But is there any pattern to them? Do you recognise the maker's ID in the first 3 bytes? Here is a web page to help you:

http://coffer.com/mac_find/

You say there are "one or two" hubs conected to that port, and I find that curious. Is is one, or is it two? Because with 600 addresses, I think it is much more likely that some network topology issue is causing the whole network to be seen behind that port. How many hosts do you have on the LAN altogether? Is it possible that the hub(s) has/have been connect at two different points on your network?

Kevin Dorrell

Luxembourg

jolmo · ‎09-14-2005

Thank you all for the responses.

I've already seen port-security feature and applied to that specific port. So now MAC flooding has stopped.

Kevin, regarding what you say about maker's id, curiously first 3 bytes are ramdom, but some patterns repeat in the last 2 bytes and, about "our whole network to be seen behind that port" I think in that case we would see a lot of well-known locally administered MAC addresses in that port, wouldn't we?

I agree with you, if it was a DoS attack we would see thousands of MAC addresses, so we are suspecting on some kind of software (maybe malicious or misconfigured) generating those MAC addresses. Have you seen this before?