CAM table overflow.

Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation Telegram Group: https://t.me/informationprotection1 Website: https://legascom.ru Email: online@legascom.ru #informationprotection #informationsecurity
The switch has a CAM table (Content Address Memory), which contains the binding of MAC addresses to the ports of the switch. That is, this table indicates which MAC addresses are accepted on which port. The SELF-table has a limited size, for example, for the Cisco Catalyst 2960 switch, the table can store up to 8,192 MAC addresses, and the Catalyst 6000 series can store up to 128,000 MAC addresses.
If the table is fully occupied, new entries will not be able to be added, and all traffic will pass to all ports. In this case, the switch will start working like a regular hub, and all traffic passing through this network segment can be listened to in the same way that we used in the previous section, using the Wireshark utility. Of course, an attacker will not be able to listen to all traffic on the local network in this way, but an insider working in the same network segment, for example, with accounting, will be able to intercept traffic and receive confidential information.
You can implement this attack using the macchanger utility, which allows you to change MAC addresses.
As an example, we will replace the MAC address on a machine connected to the switch.
root@kali:~# ifup eth0
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:16:ec:f1:45:e8
Sending on LPF/eth0/00:16:ec:f1:45:e8
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPOFFER of 192.168.1.3 from 192.168.1.101
DHCPREQUEST of 192.168.1.3 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.3 from 192.168.1.101
bound to 192.168.1.3 -- renewal in 42928 seconds.
if-up.d/mountnfs[eth0]: waiting for interface eth1 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface eth2 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface ath0 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface wlan0 before doing NFS mounts
When enabled, a request was sent to the DHCP server to obtain an IP address. Then we'll look at the current status of the network interfaces.
root@kali:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:16:ec:f1:45:e8
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:ecff:fef1:45e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3952 (3.9 KB) TX bytes:1780 (1.7 KB)
Interrupt:21 Base address:0xd800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The real MAC address of our network interface is 00:16:ec:f1:45:e8. Currently, this address is registered in the CAM table of the switch. Now let's change this address.
root@kali:~# macchanger –r eth0
Current MAC: 00:16:ec:f1:45:e8 (unknown)
Faked MAC: 04:2f:11:65:fc:0a (unknown)
Redesigning the network interface:
root@kali:~# ifdown eth0
root@kali:~# ifup eth0
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/04:2f:11:65:fc:0a
Sending on LPF/eth0/04:2f:11:65:fc:0a
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPOFFER of 192.168.1.8 from 192.168.1.101
DHCPREQUEST of 192.168.1.8 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.8 from 192.168.1.101
bound to 192.168.1.8 -- renewal in 42928 seconds.
if-up.d/mountnfs[eth0]: waiting for interface eth1 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface eth2 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface ath0 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface wlan0 before doing NFS mounts
Let's look at the network interface configuration again.
root@kali:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr : 04:2f:11:65:fc:0a
inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:ecff:fef1:45e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5801 (5.9 KB) TX bytes:1100 (1.1 KB)
Interrupt:21 Base address:0xd800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
As you can see, the MAC address of the eth0 interface has changed. Using a simple script, you can force actions to change the MAC address in a loop, which will be performed until the SELF-table overflows. I'll leave writing such a script to the channel's subscribers as a homework assignment. I'll just note that the macchanger utility will be useful to us more than once when implementing network attacks.
Having identified the threat, let's move on to ways to protect ourselves. Many security guides recommend that you hard-link the MAC address of the workstation to the switch port or limit the number of MAC addresses connected to the port to one address. These tips are, of course, correct, but you need to be careful here, since very often one port on a switch can correspond to several MAC addresses. For example, the switch uses all ports, but you need to connect several more workstations to it (due to expansion or, conversely, reduction). The best solution in this situation would be to connect another switch to this one and reserve the connection port of the new switch for the corresponding MAC address. However, in the current economic conditions, many companies prefer to save money and use the same hubs for connection.
There are also cases when several workstations can be connected to the same switch port in turn. For example, this is often done in meeting rooms. Therefore, when setting up restrictions on MAC address connections, I advise you not to get carried away with excessive "tightening the screws" in order to avoid additional difficulties in the future.
Now let's move on to the practical part. As an example, let's look at configuring the Cisco Catalyst 2960 switch with the iOS operating system. This model has 24 ports that users are connected to. It is necessary to make sure that no more than three machines can connect to each port (in other words, three MAC addresses). To do this, connect to the switch remotely or using the console and run the following commands:
Switch# conf t
Switch(config)# int range f0/1-24
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security violation shutdown
Switch(config-if-range)# switchport port-security maximum 3
Switch(config-if-range)# switchport port-security mac-address sticky
Now let's briefly talk about what each of the teams is doing. In the first line, we switch to global configuration mode, and in the second line, we switch to port configuration mode. In the third, we explicitly state that all
the selected ports will work in access mode. Next, enable port-security protection. In the next three lines, we tell the switch what to do if more than three workstations try to connect to the port. First, we indicate that it is necessary to disable the port and send the appropriate message via snmp and syslog. By the way, you can not force this option to be enabled, as it operates by default. In addition to the shutdown mode we used, there are also protect and restrict. The meaning of the last two modes is that the port will not shut down (that is, it will switch to the shutdown state), but only packets will be blocked if a violation related to MAC addresses is detected. The difference between these two modes is that when an emergency situation occurs, restrict can send an snmp trap and syslog message about a security policy violation.
In the next command to the switch, we specify how many MAC addresses we are ready to see on this port. In our case, it's three. Finally, the last command switches the switch port to learning mode, that is, the first three MAC addresses that will be received through this port will be automatically saved in running-config.
So, to summarize, I will say that all these commands are quite enough to prevent an attack on CAM table overflow.