4.4.d CAM Table overflow

The CAM Table is the same as the MAC Address Table and stands for Content Addressable Memory. The CAM/MAC address table is responsible for storing MAC addresses and what port that MAC address is reachable on.

So what is a CAM table overflow attack? An attacker that gains access to a switch via a wall jack for example could easily run a tool such as ‘macof’ which floods the switch with spoofed MAC addresses. The CAM table can only hold so many addresses in its memory, once that limit has been reached any new frames that come into the switch will be flooded to all ports as the switch can’t process it in the CAM table. This will now allow the attacker to sniff the traffic using a tool like wireshark.

So how do we mitigate this attack and stop it from being successful? We can use Port Security.

Port Security

What can port security do to help us stop the CAM table from getting overloaded with bogus MAC addresses. Port security limits the number of MAC addresses that are allowed on a switch port. When you enable port security the default limit is 1 MAC address allowed on a port. If a second MAC address comes in on that port that is different from what the switch has previously learnt the port is shutdown, this is the default action but this can be changed.

The different actions that can be set are:

  • Protect – In this mode frames are dropped if the number of mac addresses is over the limit, no syslogs, SNMP or alarms are raised, it is silent and you would never know an attack was underway.
  • Restrict – In this mode frames are also dropped but syslogs and SNMP messages are sent to warn us that this is occurring.
  • Shutdown (Port) – In this mode the port is shutdown when an attack is detected
  • Shutdown (VLAN) – In this mode the VLAN that the port is part of is shutdown when an attack is detected.

Configuring Port Security

To implement port security on a switch port you first need to set the port to an access port manually, it can’t be a dynamically learnt port.

#interface FastEthernet0/2

#switchport mode access

Enable port security

#switchport port-security

You can also set the max mac address to a different value to the default which is 1.     

#switchport port-security maximum <1-132>

There are 3 different ways you can set the switch to learn the MAC addresses on a port using port security.

  • Dynamic – MAC addresses are learnt dynamically but are lost if a switch reboots
  • Static – Add a MAC address manually to the configuration
  • Sticky – Dynamically learn MAC addresses which can be saved in the running configuration and dont have to be learnt after a switch reboot.

Setting it to sticky is shown below

#switchport port-security mac-address sticky

If you want to change the default action taken when a violation is detected you can set it to one of the following using the violation command.

#switchport port-security violation <protect, restrict, shutdown (port/vlan)>

If a security violation occurs and the port is shutdown the administrator has to go into the interface that is shutdown and use the shutdown and no shutdown command, simply issuing the no shutdown command on its own will not return the port to an UP state. You can also use errdisable recovery to bring the port back up after a certain time, this will save you getting a call in the early hours of the morning to remotely access your network and bring the port back up manually.

2 thoughts on “4.4.d CAM Table overflow

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s