CAM Table Overflow – How to Run a CAM Table Overflow Attack in GNS3 Using Cisco 3725 Routers

cisco-iosgns3mitm

I am currently working on MiTM attacks and defenses in a virtual environment using GNS3 and an IOS c3725 (c3725-adventerprisek9-mz.124-15.T14) image to emulate some topology.

The current experiment regards CAM table overflow, and works great with a standard GNS3 switch, but when I use the c3725, the result is quite unexpected. I should be able to completely fill the CAM table on the device. However, as you can see from the following figure, it is not the case:

There is always room "reserved", that I cannot fill. As I need STP and some other protocols, I cannot use the regular GNS3 switch. There is no security enabled on the device. Is there a native security feature, setting, or anything I am no aware of?

Thanks for your help!

Best Answer

Well, you're hitting that space where emulation and physical world interconnect.

First, let us cover the basics: 3725 is a router, and it has some limited switching capabilities, because it could (in real world) use switching modules, and the switching code was needed in IOS.

When you write 'standard GNS3 switch' I assume you mean NM-16ESW module emulated by the dynamips? If so, that's exactly the module and code you're using anyway with 3725.

For any security type of testing, including CAM exhaust attacks and even port security, I'd do testing only in real environment. Emulated/interpreted in run time setup doesn't always provide the same (or repetable) results for multiple of reasons, and it's plainly visible in any time-bound features, like QoS and some parts of security mechanisms (that count on proper timing and order of events triggering in IOS).

Now, going back to your question: there are two parts of answer:

First, the code that manages the CLI output for "software switching" IOS code that was added back when the NM-16ESW was introduced, underwent a lot of changes during the product lifetime. One of the extensions was to add 'backpressure' to allow faster MAC aging when there's flood of new addresses, the same code was also present in the standalone switches of that time (Catalyst 2950 and later models - 2960, 3560 and 3750). You may be hitting this exact feature, as you're using pretty new IOS (12.4(15)T). So, the switch may simply fast-age old MACs that it didn't saw any traffic to/from, and install new entries you're flooding - how fast BTW is your flood?
The other part of the answer is that this command was fixed multiple times as it wasn't always giving current situation, but some older, cached one gathered from the ASICs.

Again, doing that kind of testing with simulated environment just pushes it too far, I'd go back to some hardware setup and test/lab it to reflect real scenario. Even if you hit success, you may not be able to repeat it in predictable manner later on.

Related Solutions

Cisco – How to speed up CLI typing in Cisco IOS using shortcuts

We can use the alias command in global conf mode:

alias <mode> <command-alias> <original-command>

<mode> is one of the many IOS command modes. If you need it in different modes, you have to call it for each one - type alias ? to get a long list of modes.

An example for checking for a dhcp snooped IP, type in global conf mode

alias exec snoop show ip dhcp snooping binding | include

Now you can simply type snoop 172.16.20.12 to check for this IP or snoop 801 for checking all IPs in VLAN 801, for example. Do similarly for show mac-address-table | include and you're faster in searching and troubleshooting.

Further tipps:

document your aliases for you and for your collegues
sh aliases shows your aliases plus the predefined ones
while no alias <mode> <command> can be guessed for removing an alias, no alias <mode> deletes the aliases for a complete mode - so you can clear several at once, default alias <mode> works similarly, as expected
if you decide to use aliases, deploy them once everywhere you may need them
tools like Cisco Prime can help in deploying
don't forget the original commands ;-)

Cisco QoS – Troubleshooting Bandwidth Limiting with Policy-Map

I solve the problem with dscp packet marking.here is the configuration for Downloading stream.

the class map as before:

class-map match-all UBUNTU_DW  match access-group name UBUNTU_DW

and the new policy with the help of dscp is:

  Policy-Map DW
    Class UBUNTU_DW
     police cir 32000 bc 1500 pir 64000 be 2000
       conform-action set-dscp-transmit af21
       exceed-action set-dscp-transmit default
       violate-action drop

then I apply the policy to int fa 0/0

service-policy output DW

and it works :)

R1#sh policy-map interface fa 0/0 output
 FastEthernet0/0

  Service-policy output: DW

    Class-map: UBUNTU_DW (match-all)
      1699 packets, 2075517 bytes
      5 minute offered rate 20000 bps, drop rate 8000 bps
      Match: access-group name UBUNTU_DW
      police:
          cir 32000 bps, bc 1500 bytes
          pir 64000 bps, be 2000 bytes
        conformed 964 packets, 1063157 bytes; actions:
          set-dscp-transmit af21
        exceeded 336 packets, 440593 bytes; actions:
          set-dscp-transmit default
        violated 399 packets, 571767 bytes; actions:
          drop
        conformed 10000 bps, exceed 3000 bps, violate 8000 bps

    Class-map: class-default (match-any)
      77 packets, 7490 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any