MAC flooding/CAM table overflow

MAC address tables or CAM(Content Access Memory) tables are used on switches to track where to send traffic it received. When switch receives a frame it look its cam table for destination mac address. If mac address can be find in cam table packet will forward to the port(interface) assigned to that mac address. If the mac address doesn’t appear in the cam table, then switch add a new record to cam table with that mac address. After that it broadcast received frame to all the ports. When the frame received by the device with that mac address, it response back. At that time switch learned the port where that previously recorded mac address is connected and it update its cam table with that port number.

Vulnerability exsite on this process is every switch has limited space in its cam table. Attacker exploit this by sending whole bunch of fake source mac address to switch to until its cam table get fill up. At that point switch cannot store any other mac address from its legitimate devices and switch start to act like a hub and broadcast all the traffic it received to the network. This allow attacker to see all the frame going out from its victim machine and network might slows down and became unstable.