Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term MAC Flooding

Training Camp • Cybersecurity Glossary

What is MAC Flooding?

A switch attack that overflows the CAM table with bogus MAC addresses, forcing fail-open flooding so the attacker can sniff traffic on a switched LAN.

Glossary > Network Security > MAC Flooding

Understanding MAC Flooding

MAC flooding is a Layer 2 attack in which an attacker rapidly sends frames with many spoofed source MAC addresses to overflow a switch's CAM (Content Addressable Memory) table, the table that maps MAC addresses to ports. Once the table is full, the switch can no longer learn legitimate mappings and enters fail-open mode, broadcasting unknown-destination traffic out all ports, which lets the attacker capture traffic meant for other hosts.

The attack exploits the finite size of the CAM table and the way switches handle unknown unicast frames. Tools such as macof can generate hundreds of thousands of fake MAC addresses per minute. As genuine entries age out or are pushed out, frames destined for those hosts have no known port, so the switch floods them like a hub would. The attacker, connected to any port, then sniffs traffic, including credentials and session data, that they would normally never see on a switched network.

This matters because it defeats the privacy assumption of switched Ethernet and enables eavesdropping, man-in-the-middle staging, and credential theft on a local segment. It can also degrade performance and act as a precursor to ARP spoofing. The primary defense is port security, which limits the number of MAC addresses learned per port and can shut down or restrict a port that exceeds the limit. Dynamic ARP Inspection, DHCP snooping, and 802.1X port authentication add further protection.

For example, an attacker plugs a laptop into an unsecured conference-room wall jack and runs macof, flooding the access switch with random MAC addresses. The CAM table saturates, and the switch begins flooding unknown unicast frames everywhere, including the attacker's port. They capture cleartext traffic from nearby hosts. Had the network admin enabled port security limiting the jack to one or two MAC addresses with violation shutdown, the flood would have tripped the limit and disabled the port immediately, stopping the attack.

Learn More About MAC Flooding:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →