MAC Flooding Attack

A data link layer acts as a medium for communication between two directly connected hosts. At the sending front, it transforms the data stream into signals bit by bit and transfers it to the hardware.  On the contrary, as a receiver, it receives data in the shape of electrical signals and transforms them into an identifiable frame.

MAC can be classified as a sublayer of the data link layer that is accountable for physical addressing. MAC address is a unique address for a network adapter allocated by the manufactures for transmitting data to the destination host. If a device has several network adapters i.e., Ethernet, Wi-Fi, Bluetooth, etc., there would be different MAC addresses for each standard.

In this article, you’ll learn how this sublayer gets manipulated to execute the MAC flooding attack and how we can prevent the attack from happening.


MAC (Media Access Control) Flooding is a cyber-attack in which an attacker floods network switches with fake MAC addresses to compromise their security. A switch does not broadcast network packets to the whole network and maintains network integrity by segregating data and making use of VLANs (Virtual Local Area Network).

The motive behind MAC Flooding attack is to steal data from a victim’s system that is being transferred into a network. It can be achieved by forcing the switch’s rightful MAC table contents out, and the switch’s unicast behavior. This results in the transfer of sensitive data to other parts of the network and eventually turning the switch into a hub and causing significant quantities of incoming frames to be flooded out on all ports. Therefore, it is also called the MAC address table overflowing attack.

The attacker can also use an ARP spoofing attack as a shadow attack to allow himself to continue having access to private data afterward the network switches retrieve themselves from the early MAC flooding attack.


To rapidly saturate the table, the attacker floods the switch with a huge number of requests, each with a fake MAC address. When the MAC table reaches the allocated storage limit, it begins removing old addresses with the new ones.

After removing all the legitimate MAC addresses, the switch starts broadcasting all the packets to every switch port and takes on the role of network hub. Now, when two valid users attempt to communicate, their data is forwarded to all available ports, resulting in a MAC table flooding attack.

All the legitimate users will now be able to make an entry until this is completed. In these situations, malicious entities make them a part of a network and send malicious data packets to the user’s computer.

As a result, the attacker will be able to capture all the ingoing and outgoing traffic passing through the user’s system and can sniff the confidential data it contains. The following snapshot of the sniffing tool, Wireshark, displays how the MAC address table is flooded with bogus MAC addresses.

Attack Prevention

We must always take precautions to secure our systems. Fortunately, we have tools and functions to stop intruders from entering the system and to respond to attacks that put our system at risk. Stopping the MAC flooding attack can be done with port security.

We can achieve that by enabling this feature in port security by using the switchport port-security command.

Specify the maximum number of addresses that are allowed on the interface using the “switchport port-security maximum” value command as below:

switch port-security maximum 5

By defining the MAC addresses of all known devices:

switch port-security maximum 2

By indicating what ought to be done if any of the above terms are violated. When a violation of switch Port Security occurs, Cisco switches may be configured to respond in one of three ways; Protect, Restrict, Shutdown.

The protect mode is the security infringement mode with the least security. Packets that have unidentified source addresses are dropped, if the number of secured MAC addresses exceeds the port’s limit. It can be avoided if the number of specified maximum addresses that can be saved in the port is increased or the number of secured MAC addresses is lowered.  In this case, no evidence can be found of a data breach.

But in the restricted mode, a data breach is reported, when a port security violation occurs in the default security violation mode, the interface is error-disabled and the port LED is killed. The breach counter is incremented.

The shutdown mode command can be used to get a secure port out of the error-disabled state. It can be enabled by the command mentioned below:

switch port-security violation shutdown

As well as no shutdown interface setup mode commands can be used for the same purpose. These modes can be enabled by the use of the commands given below:

switch port-security violation protect

switch port-security violation restrict

These attacks can also be prevented by authenticating the MAC addresses against the AAA server known as authentication, authorization, and accounting server. And by disabling the ports that aren’t used quite often.


The effects of a MAC flooding attack can differ considering how it is implemented. It can result in the leak of personal and sensitive information of the user that could be used for malicious purposes, so its prevention is necessary. A MAC flooding attack can be prevented by many methods including the authentication of discovered MAC addresses against “AAA” Server, etc.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14