In our LAN, we have detected in an specific port of one of our Catalyst 3550, MAC address table for this port increases and decreases quickly showing MAC addresses we don't know (as in our network most of PC MAC addresses are locally administered). We know there are one or 2 hubs connected to this port and a maximum or 30 PCs, but sometimes we see 600 MAC addresses in this port.
Is this behaviour a symptom of a virus or some kind of attack?
There are programs out there that are designed to generate traffic from different MAC addresses with the aim of bringing down the switch. The way they work is to overflow the forwarding table, at which point the switch becomes a hub, and you can snoop all its traffic. The best known goes by the dubious name of MACOFF. But somehow I don't think that is what is happening - if it was that, then you would be seeing many thousands off MAC addresses, and not just a few hundred.
You say that the PC MAC addresses are locally administered, and that you do not recognise these rogue addresses. But is there any pattern to them? Do you recognise the maker's ID in the first 3 bytes? Here is a web page to help you:
You say there are "one or two" hubs conected to that port, and I find that curious. Is is one, or is it two? Because with 600 addresses, I think it is much more likely that some network topology issue is causing the whole network to be seen behind that port. How many hosts do you have on the LAN altogether? Is it possible that the hub(s) has/have been connect at two different points on your network?
I've already seen port-security feature and applied to that specific port. So now MAC flooding has stopped.
Kevin, regarding what you say about maker's id, curiously first 3 bytes are ramdom, but some patterns repeat in the last 2 bytes and, about "our whole network to be seen behind that port" I think in that case we would see a lot of well-known locally administered MAC addresses in that port, wouldn't we?
I agree with you, if it was a DoS attack we would see thousands of MAC addresses, so we are suspecting on some kind of software (maybe malicious or misconfigured) generating those MAC addresses. Have you seen this before?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...