jump to navigation

Flood network with random MAC addresses with macof tool March 4, 2011

Posted by Tournas Dimitrios in Linux admin tools.

Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addressess . The reason for this is that the switch regulates the flow of data between its ports. It actively monitors (cache)  the MAC address on each port, which helps it pass data only to its intended target. This is the main difference between a switch and passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the device. The data is typically rejected by all network cards, except the one it was intended for. However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network. While this is nice for a hacker, most networks use switches, which inherently restrict this activity.

Dsniffs “macof” generates random MAC addresses exhausting the switch’s memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub.

The following question then arises: What happens if the switch is asked to process a constant stream of MAC addresses? In certain circumstances and on certain switches, this will cause the switch to go into a fail-safe mode, in which it basically turns into a hub. In other words, by overloading the switch, a hacker could have access to all the data passing through the switch! One tool for doing this is called “macof” To use “macof”, you will need to install the ‘dnsiff’ suite .

macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
-i interface Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e tha Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.

macof produces a lot of traffic on the network , it is a good practice to define a large number for the mac-flood  attack  with the ” -n xxxx” option ( if no option is specified –> infinite flooding) . Some switches regain their initial state after some time interval , this can be bypassed by setting macof in ” burst mode operation ” :
# while  [ 1 ]  ; do macof -d -n 100000 ; sleep 50 ; done

Links :



1. Switches | Jeff Morrell Rocks - October 26, 2015

[…] layer 2 attacks from tools like (DSNIFF, MACOFF) by securing your ports first and foremost. A hacker can connect to a port and flood the MAC table […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s