MAC flooding is a network attack where an adversary floods a switch with fake MAC addresses until its address table overflows, forcing the switch to broadcast incoming traffic to every port so the attacker can intercept it.
A switch is supposed to be smart. It keeps a table (the MAC address table, also called the CAM table) that maps each MAC address to the physical port it's connected to, so it only sends frames to the right port instead of blasting them everywhere. MAC flooding breaks that.
In a MAC flooding attack, an adversary sends a huge wave of frames, each with a different fake source MAC address, until the switch's table runs out of room. When the table is full, many switches fail open and start acting like a dumb hub, broadcasting every incoming frame out of every port. Now the attacker's device sees traffic that was never meant for it. That makes MAC flooding a setup move for eavesdropping on a LAN, and it ties directly to the malicious-traffic flooding described in EK 3.1.B.1, where an adversary sends traffic into a network to flood it, map it, or spoof a device.
MAC flooding lives in Unit 3: Securing Networks, under topic 3.1 Network Vulnerabilities and Attacks. It's an example you can use to answer AP Cybersecurity 3.1.A (identify common network attacks) and AP Cybersecurity 3.1.B (explain how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication). It also feeds 3.1.C, because forcing a switch to broadcast everything is a clean hit on confidentiality (anyone can read traffic) and availability (the switch is degraded). The bigger theme: physical and link-layer access matters. EK 3.1.B.3 points out that plugging into a data port can give LAN access unless port security is on, and port security is exactly what stops MAC flooding.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryDoS attack (Unit 3)
MAC flooding is flooding, just aimed at a switch's memory instead of a server's bandwidth. EK 3.1.B.1 lists flooding as a way to create a DoS, so think of MAC flooding as the link-layer cousin of a classic denial-of-service attack.
MAC spoofing and ARP poisoning (Unit 3)
All three abuse the trust the network puts in MAC addresses. ARP poisoning fakes the IP-to-MAC mapping at the gateway, MAC spoofing copies one legit MAC, and MAC flooding throws thousands of fake MACs at the switch. Different tactics, same weak spot.
Port security and MAC filtering (Unit 3)
These are the defenses. Port security limits how many MAC addresses a single switch port will accept, which kills the flood (EK 3.1.B.3). MAC filtering controls which MACs are even allowed on the network.
VLAN and network segmentation (Unit 3)
Even if a flood succeeds on one switch, segmentation contains the damage. A VLAN splits one physical switch into separate logical networks, so a broadcast storm on one segment doesn't expose traffic on another.
Expect MAC flooding to show up in multiple-choice questions that describe an attack and ask you to name it, the same format as the released-style questions on ARP poisoning, MAC spoofing, and on-path attacks. The classic stem describes an adversary overwhelming a switch's address table to force broadcasting, and you pick "MAC flooding" over close decoys like MAC spoofing or DoS. Be ready to do two things: identify it from a scenario, and explain the consequence in CIA terms (it breaks confidentiality by exposing traffic and availability by degrading the switch). If asked for a fix, name port security.
MAC spoofing changes one device's MAC address to impersonate a legitimate device, so it's about identity. MAC flooding sends thousands of fake MAC addresses to overflow the switch's table and force broadcasting, so it's about overload. One pretends to be someone; the other crashes the guest list.
MAC flooding overflows a switch's MAC address table with fake addresses until the switch fails open and broadcasts traffic to every port.
Once the switch broadcasts everything, the attacker can intercept traffic that was never meant for them, so it sets up eavesdropping on a LAN.
It's a form of flooding under EK 3.1.B.1 and hits both confidentiality and availability from the CIA triad.
Port security is the main defense because it caps how many MAC addresses a switch port will accept (EK 3.1.B.3).
Don't confuse it with MAC spoofing: flooding overwhelms the switch, spoofing impersonates one device.
MAC flooding is an attack where an adversary floods a switch with many fake MAC addresses until its address table overflows, forcing the switch to broadcast incoming traffic to all ports. It falls under topic 3.1 and the flooding attacks described in EK 3.1.B.1.
No. MAC spoofing changes a device's MAC address to impersonate a legitimate device, while MAC flooding overloads the switch with thousands of fake MACs to force it to broadcast traffic. Spoofing is about identity; flooding is about overload.
Enable port security on the switch, which limits how many MAC addresses each physical port will accept. EK 3.1.B.3 specifically ties unprotected switch ports to LAN access, and port security shuts that door.
Partly, yes. It floods the switch and can degrade or disable normal switching, which is a DoS effect, but its bigger purpose is forcing the switch to broadcast so the attacker can intercept traffic and break confidentiality.
A switch only knows where to send frames if the destination MAC is in its address table. When the table is full of fake entries, the switch can't look up the real destination, so many switches fail open and flood the frame out of every port.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.