CAM tables are analogous to the
routing tables on a Layer 3 device.
Background
All frames arriving on the switch are checked against the CAM table. If an entry is found corresponding to the
destination MAC address of the frame, the switch forwards the frame to the designated outgoing port. If the
destination MAC address is not found in the CAM table, the switch forwards the frame out of every port,
effectively acting like a hub. When the target device returns the frame, this knowledge is captured, and the CAM
table is updated for subsequent frames with the same destination MAC address.
The Problem
Switches do not have unlimited memory; hence, the CAM table has a fixed allocated memory space. This makes
the switch vulnerable to exploitation from sniffing by flooding the switch with a large number of randomly
generated invalid source and destination MAC addresses, until the CAM table fills up and no new entries can be
accepted. When this happens, the switch cannot handle any further frames and acts in a hub mode, in which it
broadcasts all received frames to all the ports on the switch, essentially turning it into one big broadcast
domain. CAM table overflow floods traffic only within the local VLAN; hence, the attacker is limited to receive
traffic within the VLAN to which it is connected.
Pages:
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402