The message indicates that there just isn't any room left in the table to insert a single MAC address.
When targeting a Catalyst 6500 equipped with a Supervisor Engine 720 running Cisco IOS Software Release 12.2(18)SXF1, the following syslog message appears when the table is full:ĭec 23 21:04:56.141: %MCAST-SP-6-L2_HASH_BUCKET_COLLISION: Failure installing In less than 10 seconds, the entire bridging table is exhausted, and flooding becomes inevitable.
In a matter of seconds (between 7 and 8, in this case), more than 50,000 MAC addresses are injected on a port using a regular Intel Pentium 4-based PC running Linux. The strength of the tool is the sheer speed at which it can produce an impressive number of random addresses and source traffic from them, as Example 2-5 shows.Įxample 2-5 Filling Up the Bridging Table During a Macof Attack As a matter of fact, some switches are known to learn such addresses! Regardless, a hacker is probably not going to start macof to generate just five MAC addresses. It generates both valid and illegitimate source MAC addresses. That being said, macof is essentially a brute-force tool and, as such, it does not embarrass itself by abiding official IEEE standards. If your LAN switch learns those frames, consider having a conversation with the switch's vendor. Note that the supplied station address shall not have the group bit set and shall not be the null address."6 Read the MAC station address or change the MAC station address to the one supplied (RecognizeAddress function). "5.2.2.1.29 aReadWriteMACAddress ATTRIBUTE The IEEE 802.32002 specification is clear on this topic: The presence of the group bit is legitimate only when present in a destination MAC address. Switches should not learn source addresses whose group bit is set. It is the low-order bit of the high-order byte. On Ethernet, multicast frames are identified by a special group bit being set to 1. Only the last networking device replicates that single frame into as many frames as necessary, depending on the number of recipients. The beauty of multicast is that, from the source's perspective, it sends only a single frame. By using multicast, a source can reach an arbitrary number of interested recipients who can subscribe to the group (a special Class D IP address) it is sending to. Multicast is a technique used for one-to-many or many-to-many communication. This indicates a group address, which is normally exclusively used by multicast traffic.
Look at the low-order (far-right) bit of each MAC address. Table 2-2 High-Order Octets of Source MAC Addresses Actually, it is no accident that the switch did not learn those addresses. However, the tool also generated traffic from MAC addresses 2b:e:b:46:a8:50, DB:AD:AA:2D:AC:E9, and 89:63:d:a:13:87. What happened? If you look at the MAC addresses that the switch learned, you see CE:56:EE: 19:85:1a and 3A:50:DB:3f:E9:C2. Only three entries appear, even though macof was asked to generate five entries. Let's now start macof from the workstation connected to port Gi1/15, as shown in Example 2-3. Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports Values for any options left unspecified will be generated randomly.Įxample 2-2 presents a snapshot of a Catalyst 6500's bridging table before invoking macof.Įxample 2-2 Catalyst 6500 Bridging Table Before Macof OperationĦK-1-720# sh mac-address-table dynamic vlan 20 A straight C port of the original Perl Net::RawIP macof program by Ian Vitek. Macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). Macof - flood a switched LAN with random MAC addresses SYNOPSIS Macof is efficient and extremely simple to use. These tools include Ettercap3, Yersinia4, THC Parasite5, and macof. Today, various tools can perform MAC flooding attacks.