I was wondering the following:
Assume I am attached to a switch with an Ethernet Cable and I try to spoof the source/origin MAC address of an Ethernet frame with FF:FF:FF:FF:FF:FF. How would it behave?
Q1: Would the switch drop this packet? Or do switches in general only look at the destination address?
Q2: Would routers drop this packet? Or do they only look at the destination and IP addresses involved.
Q3: Could this effectively result in all replies on link layer level (like ARP for example) to be broadcasted over the network?
Hope you can help!
Best Answer
This would depend on the particular switch's behavior. Different switches will behave differently (based on vendor/model and configuration). However you should expect these to be dropped because broadcast is not a valid source.
Switches look at both the source and destination addresses. Destination for delivery and source for learning. They will also look at both for other features as well.
This would depend on the particular routers's behavior. Different routers will behave differently (based on vendor/model and configuration). However in general the router will be stripping off the L2 header and replacing it anyhow, so I would expect the router to be a bit more "lenient" when it comes to what is/isn't a valid frame. I wouldn't count on it working.
A router (like just about any network device) will also look at the source/destination MAC. The destination to ensure it is for delivery on that particular interface and the source to potentially update the ARP table. No device should insert a broadcast MAC into their ARP table for a unicast address, although we all know software is programmed by humans and anything is possible with bugs.
Want to take a guess at my answer here? This would depend on the particular networks's behavior as a whole. Different networks will behave differently (based on vendors/models and configurations). My guess is that on the majority of networks, this would not result in the scenario you describe.