CAM overflow (also known as MAC flooding or routing table overflow) is a network-layer denial-of-service attack in which an attacker floods a switch's Content Addressable Memory (CAM) table with fake MAC-to-port mappings, causing the switch to "fail open" and broadcast all traffic to every port. This allows the attacker to eavesdrop on traffic between legitimate nodes that would otherwise be isolated by the switch.

Background: CAM Tables

A CAM (Content Addressable Memory) table is the table that maps physical hardware MAC addresses to IP addresses and switch ports on a LAN. All CAM tables have a fixed size — once full, no new legitimate entries can be added.

In normal operation, a switch learns which MAC addresses are on which ports by inspecting incoming frames. When a frame arrives for a known destination MAC, the switch forwards it only to the corresponding port. When the destination is unknown (or the CAM table is full), the switch falls back to flooding the frame out of every port.

How It Works

Normal CAM Behavior

Consider a network with:

• Alice on port 1
• Bob on port 2
• Charlie (attacker) on port 3

Normal operation:

1. Alice sends an ARP request for Bob. It reaches the switch and is broadcast to all ports.
2. Bob responds: "I'm Bob, at port 2." The switch records this mapping.
3. When Alice sends traffic to Bob, the switch forwards it only to port 2. Charlie on port 3 sees nothing.

The Attack

Due to the limited size of CAM memory, it is possible to fill the CAM table by sending a flood of packets with randomly forged source MAC addresses. Each forged MAC claims to be on a different port, consuming entries in the table.

Attack steps:

1. Charlie sends Alice/the switch a large number of crafted packets associating fake MAC addresses to various ports.
2. For example: "Xanjedejardin is at port 3," "Shamankalankamana is at port 3," "Chewbacca is at port 3," etc.
3. This continues until the CAM table is full.
4. When Bob later tries to communicate, there is no room for his MAC-to-port entry.

Attack Behavior After Overflow

Once the CAM table is full:

• Legitimate ARP requests may not be processed — the table has no free slots.
• All unicast traffic is flooded to every port, as the switch cannot determine the correct destination port.
• Charlie (the attacker) receives all traffic intended for Bob, effectively eavesdropping on all communications.

Tools

• Macof — Part of the Dsniff suite, written in Perl. Dates back to 1999. Fills CAM tables with random MAC addresses at high speed.
• Yersinia — A multi-protocol attack framework that includes CAM table overflow among its Layer 2 attacks.
• See also: DoS/Mac Flood for a Python/Scapy-based MAC flood script.

Relation to Other Attacks

CAM overflow is often used as a precursor to man-in-the-middle attacks. By forcing the switch to broadcast all traffic, the attacker can sniff communications that would otherwise be isolated. It is particularly effective on networks where switches are the primary Layer 2 devices (which is nearly all modern Ethernet networks).

References

• Cisco presentation on Layer 2 attacks and mitigation: [1]
• MITM/Wired#MAC Flooding (CAM Table Overflow)

Flags

Denial of Service denial of service attacks for denying users access to resources that they are otherwise entitled to access. DoS DoS at Layers 1 and 2: Layer 1 and 2 DoS Attacks CAM Table Overflow/MAC Flood: DoS/Mac Flood CAM Table Poisoning: DoS/Cam Poisoning DoS at Layers 3 and 4: Layer 3 and 4 DoS Attacks Syn Flood: DoS/SYN Flood Smurf Attack (Ping Flood): DoS/Smurf Attack DNS Attacks: DoS/DNS DNSSmurf Attack: DoS/DNSSmurf Wormhole Attack: DoS/Wormhole Attack Black Hole Attack: DoS/Black Hole Attack Byzantine Attack: DoS/Byzantine Attack Sleep Deprivation Attack: DoS/Sleep Deprivation Attack Stale Packets: DoS/Stale Packets Toolz: Hping  · Macof  · Tcpnice  · Hammer  · Tors Hammer Category:DoS  · Category:Attacks  · Category:Kali Attack Layers Flags  · Template:DoSFlag  · e