Enhancing the performance and security against media-access-control table overflow vulnerability attacks

A media-access-control (MAC) table of switches is used to store the MAC addresses of stations in a local area network (LAN) segment to enable frame forwarding. Each incoming frame is broadcast to all switch ports through a switch backplane when an MAC address is not registered in the MAC table. If an address is registered, the switch forwards the frame to the port connected to the destination host. An MAC table overflow (MTO) vulnerability attack causes the MAC table of all switches to overflow in an LAN segment, and all incoming frames are broadcast to every port in the switch. The attack degrades switch-based LANs (each port of a switch comprises an individual operating domain and switch bandwidth) to bus-based LANs (all ports are bounded to one operating domain and share a bandwidth similarly to a hub), causing information leakages and reducing the effective bandwidth; a virtual LAN configuration can reduce but not eliminate the associated damage. This paper presents the security effect of an MTO vulnerability attack, and a novel per-port-based MAC table design is proposed to solve this type of vulnerability. The experimental results indicate that the mechanism of the proposed design eliminates the damage caused by such attacks. Copyright © 2014 John Wiley & Sons, Ltd.