According to cisco enterprise mobility, it is stated that "Even if port security is not an option to stop MAC flooding in wireless networks, the MAC flooding attack is unsuccessful when launched by a wireless user. The reason for this is the 802.11 protocol itself. The association to an AP is MAC-based; this means that the AP bridges (translational bridge) traffic coming only from or going to known users or known MACs. If a MAC flooding attack is launched from a wireless user, all the 802.11 frames with random source MAC addresses that are not associated to the AP are dropped. The only frame allowed is the one with the MAC of the malicious user, which the switch has probably already learned. Thus, the operation of the access point prevents the switch from being susceptible to MAC flooding attacks."
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/SecInteg.html
As you described, only know Macs are associated with ap, I am wondering if a know mac itself turned to be a malicious? I am not sure how it practically happens but there could be chances.
yes, of course, a known MAC can itself be a malicious one..But if that malicious attacker wants to flood the CAM table, s/he has to change the MAC address and send the packets. So I wonder if the Access Point will accept those packets because these MAC addresses are new to it and are not associated in the Access Point's table of active clients .
That is correct. My point is, prior to a node becoming malicious, it's MAC would have been updated in AP's table right? based on that entry , a malicious node which turned from genuine node can flood the packets.
But since the packets are having spoofed random source MAC addresses, i guess it will be dropped by access point because these random source MAC addresses are not associated with the AP.
If a registered MAC becomes a malicious BOT, and if it has to launch MAC flooding it has to change its MAC which will make BOT disconnected. Therefore every time it changes MAC it becomes disconnected and hence this attack is not possible.
For Radio MAC forwarding read - http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.mac.html
for WLAN Security - http://searchsecurity.techtarget.com/WLAN-security-Best-practices-for-wireless-network-security
Hello,
Port security is an option which provided by vendors to protect networks from MAC flooding. Cisco is provided a feature known as "switchport port-security" in order to protect networks from this type of attack. Remember that, port security can be enabled if not configured as trunk, dynamic and dynamic-access, 802.1x and SPAN ports. For example, if you enable port security on an 802.1x port, you'll receive an error message and port security will not be enabled.
However, MAC flooding is not possible in wireless network due to 802.11 protocol characteristics. The access point will drop every frames which are not associated with access point.
Exam 312-50 Certified Ethical Hacker (module 08 pages 1149 to 1164) can help you more about this problem.
Just spitballin' here, but since the AP's restrictions seem to center around what it considers a valid MAC, a number of spoofed MAC's could, in theory, send handshakes and other valid data via UDP rather than TCP - say, to a DNS server - and possibly receive valid results.
By incrementally increasing the MAC's doing so - sending to different hosts - it makes sense that an above-described router would see them as "valid" more and more. Once a sufficient number were trusted, the target activity could be performed.
Please note that network flooding is an inconvenient and malicious act. I do not condone it, and I do not respect people who engage in it. I answer only out of academic curiosity.
- Badges
- Science topic