nerdexam
EC-Council

312-50V10 · Question #693

Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing diff

The correct answer is A. Switch then acts as hub by broadcasting packets to all machines on the network. When a switch's CAM table is exhausted by a MAC flooding attack, the switch fails open and begins broadcasting frames out all ports, effectively behaving like a hub.

Sniffing

Question

Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?

Exhibit

312-50V10 question #693 exhibit

Options

  • ASwitch then acts as hub by broadcasting packets to all machines on the network
  • BThe CAM overflow table will cause the switch to crash causing Denial of Service
  • CThe switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
  • DEvery packet is dropped and the switch sends out SNMP alerts to the IDS port

How the community answered

(21 responses)
  • A
    86% (18)
  • B
    10% (2)
  • C
    5% (1)

Why each option

When a switch's CAM table is exhausted by a MAC flooding attack, the switch fails open and begins broadcasting frames out all ports, effectively behaving like a hub.

ASwitch then acts as hub by broadcasting packets to all machines on the networkCorrect

A switch uses the CAM table to make forwarding decisions by matching destination MAC addresses to specific ports. When the table is full, the switch cannot store new MAC-to-port mappings and defaults to flooding unknown-destination frames out every port - the same behavior as a hub. This allows an attacker on any port to capture traffic that would normally be unicast to a different segment.

BThe CAM overflow table will cause the switch to crash causing Denial of Service

The switch does not crash or enter a Denial of Service state; it continues to forward traffic but loses its ability to make intelligent unicast forwarding decisions, failing open rather than failing closed.

CThe switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF

Switches do not rewrite outgoing frame MAC addresses to FF:FF:FF:FF:FF:FF; that address is the Layer 2 broadcast address used in broadcast frames, not a fallback written by the switch hardware.

DEvery packet is dropped and the switch sends out SNMP alerts to the IDS port

Switches do not drop all packets and generate SNMP alerts on CAM overflow; dropping traffic would be a fail-closed behavior, which is the opposite of what actually occurs.

Concept tested: MAC flooding CAM table overflow switch behavior

Source: https://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/10601-port-sec.html

Topics

#CAM table overflow#MAC flooding#switch hub mode#network sniffing

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice