Kali’s Macof for CAM Table Overflow Attack is Denied by Port Security

Kali OS, the one with the cool dragon logo on it is a great toolkit for the hacker’s arsenal. If you’ve ever seen Mr. Robot, you’ll see the dragon symbol on their computer to own Evil Corp. With this OS, networks can be owned, if they aren’t configured well.

Macof is a program that can run inside the Kali OS. If this is run against a port on a switch, it does what’s called a Content Addressable Memory Table Overflow Attack, or CAM Table Overflow Attack for short. The CAM Table is used to remember which port to reference a mac address to. Because, the table can only store so many mac addresses, older mac addresses start to be removed when the table reaches capacity. This is what begins to happen when the macof program is utilized, the program sends 1000s on 1000s mac addresses until CAM Table reaches capacity and the oldest mac addresses are removed.

So why is this an issue? Let’s say there’s a switch with CAM Table capacity of 2000 mac addresses. On this switch there are three ports occupied. One is a Windows computer, and one of them is an Ubuntu machine. These machines have been on the switch and have been able to send traffic as wanted. Until now. A Kali laptop is newly plugged into the switch. It runs the macof program. The CAM Table Overflow Attack makes the switch forget the mac addresses for the two other legitimate computers. Therefore once these computers try to talk with each other, the switch will not know which ports to send the traffic to, as the port reference for the mac addresses has been forgotten. Switch logic then dictates, to figure out who owns these addresses by sending out the traffic to all the ports (except for the one the traffic initiated from). When the traffic is sent, the Kali Laptop can then receive and interpret the traffic from the other devices on the switch.

The CAM Table Overflow attack is a huge risk. This attack leaves traffic exposed, and can make avenues for further risk escalation into the network ie DNS Poisoning via MITM. Luckily, switches have preventative measures to mitigate risks, and to specifically block the CAM Table Overflow attack.

Port security is the preventative measure that Cisco switches have for attacks from Kali’s macof program. It prevents CAM Table overflow attacks by three major actions:

1.     Protect – This is basic protection and rarely used. It simply doesn’t allow for traffic beyond what is configured for it. For instance if a port is configured to have 3 mac addresses only, it will not allow traffic beyond these 3 mac addresses. So when a machine with the 4^th mac addresses is plugged into it, the port simply just does not allow the traffic to continue. There are no messages that are sent to alert administrators of this 4^th mac addresses, the port simply just prevents the traffic.

2.     Restrict – This is like protect in that it stops traffic from mac addresses that isn’t configured for the port. It also does an additional action by telling someone if there is a violation. A violation would look like a machine with 4^th mac address plugged into the port, when that port is configured to have 3 mac addresses on it. As soon as this machine is plugged in and tries to communicate, the port will not recognize the mac address and will send an alert to the proper administrator of this violation. Additionally counters are incremented of the violation.

3.     Shutdown – This has the same principle as the previous two ports. With this mode, traffic is still denied if there’s a violation. However, greater measures are taken by completely shutting down the port for a violation. Like Restrict Mode, this will also send SNMP alerts and increment counters.

It may be helpful to note that I have also seen Shutdown VLAN added to this list if a violation occurs.

To differentiate the appropriate mac addresses to be allowed on a switch, there are also three primary modes that can be configured for this. By default, switches are configured to have one mac address per port. But this can also be configured with the help of three primary modes:

1.     Dynamic – Mac addresses are learned without any manually configuration. If a port is set to have 4 mac addresses, dynamic mode will learn and apply the first 4 machines that are plugged into the port. Beyond that, a violation occurs. This is the default mode.

2.     Static – This mode requires that mac addresses are applied manually. If port security allows to have 3 mac addresses on a port, then 1 mac address can be assigned manually, and also allow 2 more mac addresses allowed through dynamic mode.

3.     Sticky – Sticky is like dynamic and allows a direct save to the running configuration. So if the running configuration is saved to the startup configuration, when a switch is rebooted, the mac addresses remembered.

Port security can also be configured more specifically. Though any configuration of port security is only limited to access or trunk ports. So if a switch has a port that is dynamic and allows for either access or trunk ports, then port security cannot be configured here. If a port is either an access or a trunk port the configurations, and even more specific port security configurations can be made. More specific configuration include different capacities of mac addresses allowed on each vlan; what mode a vlan can have; and also aging the mac addresses out of the CAM Table.

The problem of the CAM Table Overflow attack can be defended with the proper implementation of port security. If the switch in our attack scenario was configured to have a violation of 2 before shutting down, and the CAM Table capacity was at 8000, when Kali executed macof, nothing would happen and the port would be shutdown. An alert would be sent to an administrator, and they would have to investigate this port before bringing it back up again.