Storm Control (Mitigating MAC Flooding Attacks)

When I was preparing for the CCNP SWITCH exam I had labbed up some Switch Security features and decided to make a post about a network attack that can happen from the inside of your Network; “MAC Flooding”. MAC Flooding is where an attacker who has gained access to a Switch Port or has compromised a compliant end device with malicious code would rapidly send multiple Frames (each with unique MAC Addresses) into a Switch with the intent of overloading their CAM Tables ("Content Addressable Memory" where MAC Addresses are stored; synonymous with the “MAC-Address Table”). The issue with that is, once a Switch has reached its limit for how many MAC Addresses it can store at a time before they are aged out, the Switch will no longer be able to store any subsequent MAC Addresses. So when a device wants to communicate with a legitimate host, the Switch will end up having to ‘Flood’ that Frame out to all ports in order to find out which port that MAC Address can be found off of. In short, the Switch will lose its ability to “learn” MAC Addresses in this state. All incoming Unicast Frames will essentially be “Unknown Unicasts”, since the Switch will not have a record of that Destination MAC Address in its CAM Table. This event can lead up to what is known as a "Broadcast Storm".

The “end-game” of this type of attack is essentially “DoS” (Denial of Service). If a Switch is being flooded with Broadcast Frames, it will saturate all of the ports on the Switch, causing significant performance degradation, hogging up a lot of bandwidth from all of the VLANs affected and also taxing the CPU on the Switch, which could render it non-functional. This exploit also makes the Switch behave like a "Hub", which broadcasts incoming Frames out to all other ports regardless of the destination. The attacker can then capture packets from any device connected to the Switch.

One solution to this, is to simply configure “Port-Security” on the switchports where the machines plug into to access the Network. While it is best practice to use Port Security in general, as it can ward off users plugging in consumer Switches into a wall jack and connecting multiple machines to your network, an enhancement can be added to mitigate MAC Flooding:

Storm Control, is a feature that is more scalable and allows more flexibility. Storm Control allows you to set a threshold for Broadcast, Multicast, and Unicast Traffic entering a switchport that would trigger a specific action if it was exceeded. The port would only return to its previous state once it falls below the ‘Falling Threshold’ (if one has been configured). The “action” that can be configured is shutting down (err-disabling) the port and/or sending a Trap to the NMS via SNMP once a threshold has been exceeded.

In my lab scenario, I connected a laptop to a switchport (port 13) that I configured with storm-control. In the first screenshot, we can see the options for policing; broadcast, multicast and unicast traffic:

- For the broadcast traffic, we set a threshold of 50, meaning when 50% of the available bandwidth on that port has been exceeded, take the configured action - For the multicast traffic, we set a rising threshold of 1024 packets per second and a falling threshold of 512 pps. When multicast traffic exceeds 1024pps, take action and when it falls below 512pps, reverse the action 

- As a demonstration, I configured the unicast threshold to a ridiculously low level, like 10 packets per second and set an action to shutdown the port if that threshold was exceeded. I had a YouTube page up when I entered the command and immediately after it was entered, I received a Syslog notification that a “packet storm” was detected and the configured action was taken (err-disabling the port)

(Yes that's a Metrocard that I'm using as a bookmark ???? )

We can also verify our storm-control operations using the “show storm-control” Privilege EXEC mode command. In the image we can see that the Link is down due to the configured threshold being exceeded

We could also use the ‘Err-Disable Recovery’ feature to automatically bring a port out of the err-disable state as opposed to manually disabling and re-enabling the port. But this feature is most useful when you set an interval after an event has taken place to give you enough time to resolve the issue before it attempts to automatically recover the port. Since I left the conditions the same, when Err-Disable Recovery attempted to recover the port, Storm Control shut the port right back down:

As we can see, Storm Control is a useful feature that allows us to not only mitigate MAC Flooding attacks, but also to police traffic at Layer 2 to ensure proper bandwidth usage. I hope this was insightful!