MAC Address Flooding
Marcus W. Johnson
![Marcus W. Johnson]()
Marcus W. Johnson
Cyber Threat Intelligence Engineer |MSc. Cybersecurity |SASE |SSE |ISC2 CC |ICS/OT Risks |MITRE ATT&CK Defender |Adversary Emulation & Detection Engineer |SOC/XDR |IAM|AI/ML |Security Controls Validation Engineer|
MAC address flooding attacks bombard the switch with fake source MAC addresses until the switch MAC address table is full. At this point, the switch treats any further transmitting frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. The threat actor can now capture all of the frames sent from one host to another on the local LAN or local VLAN. The threat actor uses specially crafted or other open source tools to rapidly generate many random source and destination MAC and IP. To mitigate MAC table overflow attacks, network administrators must implement port security.