1
00:00:00,980 --> 00:00:08,180
Ation of a mack flood is to make uSwitch behave like a hub, as I mentioned before, a hub sends the

2
00:00:08,180 --> 00:00:10,350
packet it receives to all of its port.

3
00:00:11,180 --> 00:00:17,540
However, a switch sends the packet only to the target system so we can make the switch behave like

4
00:00:17,540 --> 00:00:18,020
a hub.

5
00:00:18,620 --> 00:00:24,740
Then it would send the packet to all of its ports and I could listen to the traffic, even though I'm

6
00:00:24,740 --> 00:00:25,610
not the target.

7
00:00:26,720 --> 00:00:32,750
In a massive flooding attack within a very short time, the Switches Mac address table is full with

8
00:00:32,750 --> 00:00:39,110
fake Mac address and port mappings wants to switches, Mac address table is full and it cannot save

9
00:00:39,110 --> 00:00:39,500
any more.

10
00:00:39,500 --> 00:00:40,250
Mac addresses.

11
00:00:40,500 --> 00:00:46,310
It generally enters into a fail open mode and it starts behaving like a network hub.

12
00:00:47,090 --> 00:00:53,090
Ethernet switches uses Mac address tables to determine where to forward traffic on a LAN.

13
00:00:53,690 --> 00:01:00,410
So let's go step by step to understand how the Mac address table is built and used by an Ethernet switch

14
00:01:00,950 --> 00:01:04,280
to help traffic move along the path to its destination.

15
00:01:05,210 --> 00:01:11,240
Now suppose that all of the devices connected to the switch are powered on, but have not seen any traffic

16
00:01:11,240 --> 00:01:11,530
yet.

17
00:01:12,140 --> 00:01:15,560
In this case, the Mac address table of the switch would be empty.

18
00:01:16,840 --> 00:01:20,860
Now, suppose computer AI wants to send traffic to the server.

19
00:01:22,080 --> 00:01:26,610
It prepares an Ethernet frame and it sends it off toward the switch.

20
00:01:27,510 --> 00:01:34,620
The first thing the switch would do when receiving the traffic is to create a new entry in its Mac address

21
00:01:34,620 --> 00:01:36,110
table for computers.

22
00:01:36,180 --> 00:01:37,980
Mac address makes sense.

23
00:01:39,150 --> 00:01:45,810
The switch then performs a lookup on its Mac address table to determine whether it knows which port

24
00:01:45,810 --> 00:01:46,980
to send the traffic to.

25
00:01:47,830 --> 00:01:50,950
And since no matching entries exist in this, which is table.

26
00:01:52,070 --> 00:01:57,710
It floods the frame out all of its interfaces except the receiving port.

27
00:01:59,210 --> 00:02:05,060
Because the frame was sent out to all the switches, other ports, it is received by the target server

28
00:02:05,060 --> 00:02:05,450
as well.

29
00:02:06,530 --> 00:02:12,680
Then the server sends a new frame back toward the switch, the other systems which receive the frame

30
00:02:12,920 --> 00:02:13,520
do nothing.

31
00:02:15,010 --> 00:02:22,420
The switch receives the frame and creates a new entry in its Mac address table for the servers Mac address.

32
00:02:24,270 --> 00:02:30,330
It then performs a lookup of its Mac address table to determine whether it knows which port to send

33
00:02:30,330 --> 00:02:33,540
the service traffic to, and in this case it does.

34
00:02:33,990 --> 00:02:40,200
So it sends the return traffic out only on the port of computer A without flooding.

35
00:02:41,990 --> 00:02:48,980
So this process repeats as devices continue to send traffic to each other, an important detail to remember

36
00:02:49,220 --> 00:02:53,870
is that the Mac address table time out is typically short.

37
00:02:54,710 --> 00:02:59,950
So, for example, the full time out duration of Cisco switches is five minutes.

38
00:03:00,260 --> 00:03:07,100
So an entry is left in the table itself only for that specified amount of time before the timeout expires

39
00:03:07,400 --> 00:03:09,410
and the entry is removed from the table.

40
00:03:10,740 --> 00:03:17,970
Let's look at a switching mechanism with a cybersecurity point of view, the mechanism has two weaknesses

41
00:03:17,970 --> 00:03:18,220
in it.

42
00:03:18,540 --> 00:03:25,860
First, when the Target Mac address is not in the Mac address table, the frames are flooded out of

43
00:03:25,860 --> 00:03:26,870
all the ports.

44
00:03:26,880 --> 00:03:32,220
So unintended systems on the network are capable of sniffing these frames.

45
00:03:32,970 --> 00:03:39,520
The second weakness is that when the Mac address table is full, no new record is accepted.

46
00:03:40,440 --> 00:03:45,620
So what if I fill the table by announcing thousands of fake Mac addresses from a port of the switch?

47
00:03:46,560 --> 00:03:52,920
Most of the switches start to behave like a network hub in such a situation, which means they send

48
00:03:52,920 --> 00:03:54,840
each frame to all of the ports.