Lets straight to the point, I’ll break down this article into 4 sub-chapter:

  • The Theory
  • The Attack and The Outcome
  • The Mitigation

Security Experts says: “Security is as good as layer belows” or “Security is as strong as weakest link

Dalam 7 OSI Layer…klo dari bawahnya aja udah kena (physical and data link)…keatas2nya juga akan kena (domino effect)

Wokeh, lets prepare the ingredients:

  • Manageable Switch (klo pake switch biasa ga keliatan apa yang mau dipraktekin)
  • Kali Linux (for me its 2016 version)
  • Another PC (I use Kali and Windows in same host a.k.a Virtual Machine)


The Theory

Setiap switch pasti punya yang namanya CAM Table

For you who doesn’t know what CAM table mean, take a look at this pic below

Yup…mac address table

CAM table ini berguna bagi switch untuk switching traffic *yea right man -_-; …

Lah, bener kan…switch itu bahasa indonesianya apa? pengalihan/menukar (if you recall how switch works then you’ll understand that switch is replacing mac-address for each hop both source and destination address)

هي문제는 (wkwkwk…all same meaning: the problem is)

Setiap switch naro CAM table ini di ASIC chip

And…because of hardware characteristics…there is….a limitation


The answer may vary, switch cisco cat6800 can store 128k mac addresses while cat 2960 only hold maybe 8000 mac addresses

So, what happens when the table goes full? OVERFLOW OF BROADCAST…switch revert to hub (being able to broadcast traffic only), this is the fallback mechanism of switch if its table is full

Anddd that is the goals…broadcast the traffic so we can see what being send and receive, or even worse…bring down the network


Attack and Outcome

Gw pake cisco cat3750…show mac address-table count menunjukkan bahwa ini switch sanggup nampung sekitar 6000an mac addresses

And start that kali linux…open terminal, just type macof (mac address overflow)

Anddd….now this kali linux will flood the switch with a ton of bogus mac addresses

In a matter of second (ga sampe 5 detik malah), lets see the CAM table again

From the previous 6003 down to 40…that how you bring down the network…

Makanya gw bilang jgn pake switch biasa, ga ketauan mac address table nya abis apa engga/diserang apa kaga nya

Impactnya…?? Ga usa jauh2 untuk bring down network, lets bring another brother of kali, the red hat

Gw pake RHEL 7, ip-nya

Trus gw ping ke (gateway)…dan di kali linux gw jalanin wireshark…apply filter ip.addr ==

Now we see the traffic come back and forth…ini baru ping, bagaimana klo dia ngirim sensitive data? Dengan adanya broadcast…attacker can sniff through wireshark


The Mitigation

  1. Port Security (link)
  2. An even better solution: shutdown all unused port

That’s it guys…next lets try another network-offensive security attack (if I have time to do that 😉 )

This is going to be my next writing article…network security attack…(N.O.S), do you like it? Leave a comment…