CAM Table Attacks: How Attackers Break Switched Networks

Picture this. You are sitting in a cafe, connected to the office network through a switch. Your colleague in the next room is sending a confidential email. You should not be able to read it the switch is supposed to make sure of that. But an attacker sitting two desks away just ran a single command. Now every packet on that network is flowing straight to their laptop.

No one noticed. Nothing crashed. The switch is still running.

This is a CAM table attack and it is one of the cleanest ways to break a switched network wide open.

 Before the Attack: How a Switch Actually Thinks

Every device on a network has a MAC address a unique hardware identifier burned into its network card at the factory. When your laptop connects to a switch, the switch does not just let the traffic flow blindly. It builds a mental map called the CAM table of which MAC address is connected to which physical port.

So when your laptop sends a packet to the printer, the switch checks its CAM table, finds the printer’s port, and delivers that packet there and only there. The person next to you sees nothing. That is the whole point of a switch. That is what makes it better than a hub.

The CAM table is constantly being updated as devices connect and disconnect. New device on port 3? Logged. Old device disconnected? Entry ages out. The switch is always learning.

 The One Problem: This Table Has a Size Limit

Here is the thing nobody tells you at first. The CAM table is not unlimited. Every switch has a fixed amount of memory set aside for it. It can hold a certain number of MAC address entries and when that limit is hit, something unexpected happens.

The switch panics, in a way. It can no longer figure out where to send packets. So it does the only thing it can it starts broadcasting every single packet to every single port. In other words, it stops being a switch and starts behaving exactly like a hub.

Every device on the network suddenly receives every packet. And if someone is sitting there with their NIC in promiscuous mode a setting that tells the network card to accept all traffic, not just traffic addressed to it they can read all of it. Passwords. Session cookies. Emails. Everything in plaintext.

This is called fail-open mode. And it is exactly what a MAC flooding attack is designed to trigger. 

The Attack: What the Attacker Actually Does

The attacker connects to the network and opens a terminal. They run a tool called macof a simple Unix/Linux utility that generates random fake MAC addresses and floods them into the switch at high speed. We are talking 131,000 fake entries per minute.

The switch has no way to verify whether these MAC addresses are real. It just logs every single one. Within seconds, the CAM table is completely full. Legitimate entries get pushed out. The switch enters fail-open mode. Traffic floods every port.

The attacker flips their NIC to promiscuous mode and starts capturing. From this point on, they can see every conversation happening on that network not just traffic addressed to them.

The worst part? The switch is still running. No errors. No alerts. No indication anything is wrong unless someone is actively monitoring for it. 

Switch Port Stealing: The Surgical Version

MAC flooding is loud it affects the entire network. Switch port stealing is quieter and more targeted.

Instead of filling the CAM table entirely, the attacker sends forged ARP packets using the target machine’s MAC address as the source. The switch gets confused it keeps seeing the same MAC address arriving from two different ports and cannot decide which one is correct. If the attacker is fast enough, the switch starts routing the target’s traffic to the attacker’s port instead. The attacker intercepts the packets, reads them, and forwards them on. The victim never notices. 

Stopping It: Port Security

The defense is called port security and it is built into most managed switches. The idea is straightforward you tell the switch how many MAC addresses are allowed on each port. If that number is exceeded, the switch knows something is wrong.

When a violation is detected, the switch can either drop the suspicious packets and send an alert, or shut the port down entirely. Either way, the flooding attempt is stopped before the CAM table overflows.

On a Cisco switch, enabling this takes a few lines:

switchport port-security

switchport port-security maximum 1

switchport port-security violation shutdown

switchport port-security mac-address sticky

That last command sticky is particularly useful. It tells the switch to automatically learn and permanently lock the MAC address of whatever device first connects to that port. Any other MAC address trying to come in gets rejected immediately. 

The Bigger Picture

CAM table attacks are a perfect example of why understanding how something works is more valuable than just knowing that it exists. The switch is doing exactly what it was designed to do it just was not designed with an attacker in mind. The fail-open behavior was never a bug. It was a safety feature to keep traffic flowing when memory ran out. Attackers simply learned to abuse it.

This is a pattern you will see again and again in cybersecurity. Every design decision has a trade-off. Every trade-off has an attack surface.