How MAC Flooding and ARP Spoofing Attacks Work—and How to Defend Them

MAC Flooding Attack and Defense

MAC Learning Mechanism

When a switch starts without a MAC address table, it learns MAC addresses by recording the source MAC and the incoming port of each frame. If the destination MAC is unknown, the switch broadcasts the frame; the destination host replies, allowing the switch to add the new MAC‑port mapping.

MAC Aging Mechanism

If a host does not communicate for a long period, the switch removes its MAC entry from the table, requiring re‑learning on the next transmission.

MAC Flooding Attack

Attackers generate a large number of forged MAC addresses, filling the switch’s MAC table. Legitimate hosts can no longer be learned, forcing the switch to broadcast all traffic, which enables the attacker to capture communications between other hosts.

Attack Test Setup

Tools:

macof

on Kali Linux (attacker IP 192.168.2.130). Switch: Shenzhou DCRS6200. PC1: Windows XP (192.168.2.140). PC2: DCRS firewall (192.168.2.2).

Before the attack, the MAC table is displayed (image). After running

macof

, the MAC table is flooded with fake entries (image). Wireshark on PC1 captures usernames and passwords when accessing PC2 (image).

Defense Measures

1. Enable Port Security on the switch port to limit the number of MAC addresses and bind specific MACs.

<code>CS6200-28X-EI(config-if-ethernet1/0/5)# sw port-security          # enable
CS6200-28X-EI(config-if-ethernet1/0/5)# sw port-security maximum 5   # limit to 5 MACs
CS6200-28X-EI(config-if-ethernet1/0/5)# sw port-security mac-address 00-0c-29-b0-81-4f
DCRS(config-if-ethernet1/0/5)# sw port-security mac-address sticky
DCRS(config-if-ethernet1/0/5)# sw port-security violation restrict</code>

2. Configure Access Management (AM) to compare incoming frames against a MAC‑IP pool and drop unauthorized traffic.

<code>DCRS(config)# am enable
DCRS(config-if-ethernet1/0/5)# am port
DCRS(config-if-ethernet1/0/5)# am mac-ip-pool 01-00-5e-00-00-16 192.168.2.22</code>

ARP Spoofing Attack and Defense

ARP Protocol Overview

ARP resolves IP addresses to MAC addresses within a LAN. Each host maintains an ARP cache mapping IPs to MACs. When a host needs a MAC for a destination IP, it broadcasts an ARP request; the owner replies, and the requester stores the mapping.

ARP Spoofing Principle

An attacker (PC3) sends forged ARP replies: to PC1 claiming PC2’s IP is associated with the attacker’s MAC, and to PC2 claiming PC1’s IP is associated with the attacker’s MAC. Both victims update their ARP caches with the attacker’s MAC, causing all traffic between them to be routed through the attacker (Man‑in‑the‑Middle).

Attack Test Procedure

Target host IP: 192.168.179.131. Enable IP forwarding on the attacker, then use

arpspoof

(or graphical tools like Ettercap) to poison the ARP tables. After the attack, the gateway MAC in the victim’s ARP cache is replaced by the attacker’s MAC, confirming success (images).

ARP Spoofing Defense

1. Use the same Access Management configuration as for MAC flooding to block unauthorized ARP traffic.

2. Enable DHCP Snooping Bind to create a binding table of legitimate MAC‑IP pairs; traffic not matching the table is dropped.

<code>DCRS(config)# ip dhcp snooping enable
DCRS(config)# ip dhcp snooping binding enable
DCRS(config)# ip dhcp snooping binding arp
DCRS(config)# interface ethernet 0/0/1
DCRS(config-if)# ip dhcp snooping trust</code>