MAC Flooding Attack Explained | AP Cybersecurity

AP Cybersecurity Topics › MAC Flooding
Unit 3 • Topic 3.1 • Network Vulnerabilities and Attacks

MAC Flooding Attacks Explained (and How Switches Fail)

A MAC flooding attack overwhelms a network switch's address table so the switch starts broadcasting traffic to every port, letting an attacker capture data meant for others.

Contents

  1. How MAC flooding works
  2. Defending with port security
  3. Real-world example
  4. Key terms
  5. Match it up
  6. Check for Understanding
  7. FAQ
Targetthe switch address table
Effectswitch broadcasts to all
Defenseport security
Flood fake MACsTable overflowsSwitch broadcastsAttacker sniffs
A flooded switch fails open and broadcasts traffic to every port.

How MAC flooding works

A switch normally learns which device is on each port and sends traffic only where it belongs, using a table of MAC addresses. In a MAC flooding attack, the adversary sends a flood of fake MAC addresses until that table is full.

When the table overflows, many switches fail open and broadcast incoming traffic to all ports, behaving like a hub. The attacker, connected to the switch, can then sniff traffic intended for other devices.

Scenario

After an attacker floods a switch with thousands of fake MAC addresses, they begin seeing other users' traffic. Why?

Reveal answer

The switch's address table overflowed and it started broadcasting to all ports. With normal switching defeated, the attacker can sniff traffic meant for others.

Exam tip

MAC flooding targets the switch, not a host. The effect is that the switch broadcasts traffic, enabling sniffing. The defense is port security.

Defending with port security

Port security on a switch limits how many MAC addresses a port will accept, so a flood of fake addresses is rejected instead of overflowing the table. This is a direct, configuration-level control.

Segmentation also limits the blast radius: even if one segment's switch is attacked, the rest of the network is unaffected.

Scenario

Which switch feature most directly stops a MAC flooding attack?

Reveal answer

Port security, which restricts the number of MAC addresses allowed on a port, so the attacker cannot overflow the address table.

Real-world example

Flooding a switch's memory

MAC flooding tools rapidly fill a switch's address table with bogus entries. Once full, many switches default to broadcasting, turning a switched network into one an attacker can eavesdrop on.

Port security stops the table from overflowing.

Key Terms

MAC address A device's hardware network address.
Address table The switch's record of which device is on each port.
Fail open When an overwhelmed switch broadcasts to all ports.
Port security A switch feature limiting MAC addresses per port.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.

Common Mistakes

!

Thinking MAC flooding targets a single host

It targets the switch's address table, affecting many devices.

!

Confusing it with ARP spoofing

MAC flooding overflows the switch; ARP spoofing forges address mappings.

!

Missing the 'fail open' behavior

The danger is that the overwhelmed switch broadcasts traffic to all ports.

!

Forgetting port security

Port security is the direct configuration defense.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.
Question 1
A MAC flooding attack primarily targets:
B. MAC flooding overflows the switch's address table, not a single host.
Question 2 Predict first
When a switch's address table overflows from MAC flooding, the switch often:
B. Many switches fail open and broadcast traffic to every port, enabling sniffing.
Question 3 Predict first
Which feature most directly defends against MAC flooding?
D. Port security limits the number of MAC addresses per port, preventing table overflow.
Question 4
Which statements are true? I. MAC flooding lets an attacker sniff traffic. II. It targets the switch. III. It steals passwords by guessing.
A. I and II are true. III describes a password attack, not MAC flooding.
Question 5
After a successful MAC flood, an attacker can:
A. Because the switch broadcasts, the attacker can capture traffic intended for others.
Question 6
How does segmentation help limit a MAC flooding attack?
C. Segmentation contains the attack so other segments are unaffected.

Frequently Asked Questions

An attack that floods a switch's address table with fake MAC addresses until it overflows, causing the switch to broadcast traffic to all ports so the attacker can sniff it.
Enable port security on the switch to limit the number of MAC addresses allowed per port, and use segmentation to contain any impact.
MAC flooding overwhelms the switch's address table to force broadcasting; ARP spoofing forges address mappings to get on-path between two devices.
← PreviousMan-in-the-Middle
Keep studying
All TopicsUnit 3 Study GuidePractice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]