Flood network with random MAC addresses with macof tool

October 31, 2010


Before you can be a badass hacker you need to understand what exactly it is your doing.  Today’s Lesson is on flooding a network with random MAC addresses.

Switch Behavior
If you fill up a switches table with random mac addresses different vendors switches will behave differently.

Cisco switches will keep original MAC address on its table and will only remove them if they time out. However many other switches will let their entire table get filled up with fake addresses! This is beneficial to you if you wish to receive traffic intended for other people!

What is the point of filling up switches table with fake make addresses? It forces the switch to become a hub (and you as an attacker can now see traffic on every port as all packets are now broadcasted)

Flooding a VLAN
You can group a number of ports on a switch together and say they are part of a VLAN (they are logically separated from other VLANs). Why is this helpful? Broadcast packets will only occur within the same VLAN (Even they are on the same switch).

Most switches today do not have separate tables for each VLAN. Flooding a single VLAN would force all other VLANs to flood as well (just flood their own VLAN). Why? Because if the shared table is full than each VLAN no longer knows what ports legitimate MAC address(es) are on.. so they must broadcast.

Packet Generation – MAC moving

You can use macof to generate a packet with a source mac address that is not really yours.

In this example MAC C wants to use a man in the middle attack to receive all packets from:

  • MAC 0000.CAFE.000 destined for MAC B
  • MAC B to destined for  MAC 0000.CAFE.000

To execute the attack:

MAC 0000.CAFE.000 destined for MAC B

  1. macof sends a packet to 0000.CAFE.0000 with the source MAC address of MAC B
  2. The switch will now update its routing table to think that MAC B now actually lives on interface Fa0/3 (where you sent the packet from using macof)
  3. macof needs to keep sending the first packet.
MAC B to MAC 0000.CAFE.000
macof also needs to send all packets it has intercepted to MAC B
  1. macof sends a packet to to MAC B with a source MAC address of 0000.CAFE.000
  2. the switch thinks that 0000.CAFE.000 lives at Fa0/3
  3. Now all traffic from MAC B gets routed to the machine with macof on it!

This causes the switch to updates its table and think that fake mac1 is using the interface you are on (Fa0/3) actually the host


MAC B needs to be sending packets to anyhost so the switch will update its routing table with the correct interface for MAC B (Fa0/2).


Otherwise when MAC C tries to send a packet to MAC B the switch will think both are on Fa0/3 and will drop the packet!!!!


MAC C probably won’t receive all packets in this case.  It may have to wait until the routing table times out with MAC B or flood the table to force a broadcast.

Is there a way to tell the switch that MAC B is back on Fa0/2 from MAC c?   No there is not (you must be admin on the switch), you must either force port flood or C needs to somehow send something so the switch corrects the entry

Preventing MAC Flooding and Spoofing

Switches can be configured to warn the administrator of frequent MAC address moves.

Howto: Enable MAC Address Moves Alarms on Cisco Switches
6K-1-720(config)# mac-address-table notification ? mac-move Enable Mac Move Notification
6K-1-720(config)#mac-address-table notification mac-move ?

Port Security

  • Static – only these MAC addresses can be on this port
  • Dynamic – can put a limit on how many MAC addresses can be learned, and relearn after switch restarts
  • Sticky – Dynamically learn but save in a configuration

What if port security is violated (a MAC address is different from the list of secure addresses)?

These are your options:

  • The port error-disables for a specified duration. (It can be unlimited, but if not, automatic recovery can be performed.) An Simple Network Management Protocol (SNMP) trap is generated.
  • The port drops frames from unknown addresses (protect mode).
  • The port drops frames from unknown addresses and increments a violation counter. SNMP traps generation is possible on some releases/Cisco switches (restrict mode).
The most common and recommended – dynamic mode with one MAC address for ports where a single device is supposed to connect, with a drop action on violation (restrict action).

Unknown Unicast Flooding Protection

An alert can be sent when a user-defined rate limit on unknown unicast flooding has been exceeded
Additionally it can also filter the traffic or shut down the port generating the floods when certain threshold is exceeded.



macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]


macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <[email protected]>.


-i interface Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e tha Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.

Values for any options left unspecified will be generated randomly.

To note: Because macoff generates random MAC addresses it sometimes generates MAC addresses that are not valid (in which case those packets will be dropped)