MAC Address Spoofing Impact: Network Collisions, Deauthentication Risks and Layer 2 Protocol Behavior Analysis on Duplicate MACs


2 views

Yes, MAC address spoofing is technically possible through various methods:

# Linux MAC spoofing example
sudo ifconfig eth0 down
sudo ifconfig eth0 hw ether 00:11:22:33:44:55
sudo ifconfig eth0 up

Windows PowerShell equivalent:

Set-NetAdapter -Name "Ethernet" -MacAddress "001122334455"

Modern switches handle duplicate MACs differently based on vendor implementation:

# Cisco switch log example
%MACFLAP_NOTIF: Host 0011.2233.4455 in vlan 1 is flapping between port Gi1/0/1 and port Gi1/0/2

When duplicates exist, you'll typically observe:

  • ARP cache poisoning
  • DHCP lease conflicts
  • Switch port flapping

Example Wireshark filter for detection:

eth.addr == 00:11:22:33:44:55 and frame.number > 1

Network admins can implement countermeasures:

// Python MAC validation snippet
import re
def validate_mac(mac):
    return bool(re.match("^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$", mac))

Recommended network hardening techniques:

# Cisco port security configuration
interface GigabitEthernet1/0/1
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict

For Linux servers:

# Prevent MAC changes
sudo sysctl -w net.ipv4.conf.all.arp_ignore=1
sudo sysctl -w net.ipv4.conf.all.arp_announce=2

In Ethernet networks, MAC addresses should theoretically be unique identifiers for network interface controllers (NICs). However, MAC spoofing allows intentional duplication. When two devices share the same MAC on a LAN:

// Example of MAC spoofing on Linux
sudo ifconfig eth0 down
sudo ifconfig eth0 hw ether 00:11:22:33:44:55
sudo ifconfig eth0 up

Modern managed switches typically handle this scenario in one of three ways:

  • Last-seen-wins policy (most common)
  • Port security violation (shutdown/alert)
  • Packet flooding (when unsure of destination)

When MAC duplication occurs, you'll typically observe:

# Sample Wireshark filter to detect MAC conflicts
eth.addr == 00:11:22:33:44:55 and frame.number > 1

Key symptoms include:

  • ARP cache thrashing
  • Random packet loss
  • TCP connection resets

To prevent MAC spoofing attacks:

// Cisco switch port security configuration
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict

Modern Linux kernels can detect MAC conflicts:

# Monitor kernel messages for MAC conflicts
dmesg | grep -i "mac conflict"
# Expected output when conflict detected:
# [ 1234.567890] igb 0000:01:00.0: detected MAC conflict on VLAN 1