[unisog] Odd MAC addresses on switch

Ray Strubinger rays at phhp.ufl.edu
Mon Jul 12 14:29:34 GMT 2004


Finding a large number of MAC addresses on a switch port could be an
indication that the user is trying to sniff the network traffic by
flooding the CAM table which could cause a switch to fail open and make
it act like hub.

There are tools that are designed to flood switches with MAC addresses.
 Macof from the dsniff suite is one tool that can be used to do MAC
flooding.

As a countermeasure, you could enable MAC binding on the switch which
will prevent the MAC address from changing once it's set.

-Ray



More information about the unisog mailing list