macof

macof [-i interface] [-s src] [-d secs] [-n pkts]

-i interface
    Specifies the network interface through which to send flood packets.

-s src
    Sets the source IP address for the generated packets.

-d secs
    Defines the delay in seconds between bursts of flood packets.

-n pkts
    Specifies the total number of packets to send. A value of 0 indicates unlimited packets.

macof is a utility from the dsniff suite, designed to perform MAC address flooding attacks. Its primary purpose is to overwhelm network switches with a large number of randomly generated MAC addresses. By continuously sending spoofed Ethernet frames or ARP requests with unique source MAC addresses, macof aims to exhaust the switch's Content Addressable Memory (CAM) table, also known as the MAC address table.

When a switch's CAM table becomes full, it can no longer store new MAC-to-port mappings. Depending on the switch's configuration and vendor implementation, it may react by entering a "fail-open" mode, effectively turning into a hub. In this state, the switch forwards all incoming traffic to all ports in the broadcast domain, rather than only to the intended recipient. This behavior enables an attacker to capture network traffic that would otherwise only be visible to specific hosts, facilitating passive sniffing and man-in-the-middle attacks.

macof is a powerful tool for security auditing and penetration testing, used to identify network vulnerabilities and demonstrate the importance of switch security features like port security and MAC address limiting. However, its use without explicit permission is illegal and can cause significant network disruption and performance degradation.

macof can cause severe network disruption, leading to performance degradation and even temporary outages. Use with extreme caution and only on networks where you have explicit authorization.

Modern network switches often employ advanced security features like port security, MAC limiting, and ARP inspection. These features can significantly mitigate or prevent the effectiveness of MAC flooding attacks, sometimes leading to port shutdowns or alarms.

The use of macof without permission is illegal and unethical. It is primarily intended for legitimate security testing and vulnerability assessment.

macof is used in penetration testing and security assessments to evaluate a network's resilience against MAC flooding. Successful execution can demonstrate how attackers might bypass network segmentation or sniff traffic on a supposedly secure switched network.

The attack relies on generating and sending a vast number of unique MAC addresses, typically within spoofed ARP requests, to the switch. The switch's CAM table, which maps MAC addresses to physical ports, has a finite capacity. When this table overflows, the switch may revert to behaving like a hub, forwarding all traffic to all ports within the VLAN, thereby exposing sensitive data.

macof is a core utility of the dsniff suite, a collection of network auditing tools developed by Dug Song. The dsniff suite was first released in the late 1990s (around 1999-2000), quickly becoming a popular choice for penetration testers and network security professionals. Its development aimed to expose vulnerabilities in common network protocols and devices, particularly regarding network sniffing and Man-in-the-Middle (MITM) attacks. While network defenses have evolved, macof remains a classic tool for demonstrating fundamental switch security flaws.

dsniff(8), arpspoof(8), ettercap(8), tcpdump(8)