Common Network Attacks

Network attacks are deliberate attempts to compromise the confidentiality, integrity, or availability of network resources. The CompTIA Network+ N10-009 exam expects you to identify common attack types by their characteristics, understand how they work at the protocol level, and know basic mitigation techniques. Attacks are often categorized by the OSI layer they target, the protocol they abuse, or the attacker's goal (e.g., denial of service, data theft, or credential harvesting).

A Denial of Service (DoS) attack aims to make a service unavailable by overwhelming it with traffic or exploiting a vulnerability that crashes the target. A Distributed Denial of Service (DDoS) attack uses multiple compromised systems (botnet) to launch the attack, making it harder to block. The exam focuses on common DDoS types: volume-based (e.g., UDP floods), protocol-based (e.g., SYN floods), and application-layer (e.g., HTTP floods).

A SYN flood exploits the TCP three-way handshake. The attacker sends a flood of TCP SYN packets with spoofed source IP addresses to the target. The target responds with SYN-ACK to each and enters a half-open connection state, waiting for the final ACK. It allocates memory for each half-open connection. The attacker never sends the ACK, so the connections time out after a configurable period (default 60-120 seconds on most systems). The target's connection table fills up, preventing legitimate connections. Mitigation includes SYN cookies, reducing the SYN-RECEIVED timeout, and rate-limiting incoming SYN packets.

A UDP flood sends a large number of UDP packets to random ports on the target. The target checks for an application listening on each port. If no application is found, it responds with an ICMP Destination Unreachable packet. This consumes bandwidth and processing resources. Attackers often spoof the source IP to hide their location. Mitigation includes rate-limiting ICMP responses and using firewalls to drop malformed UDP packets.

An ICMP flood sends a high volume of ICMP Echo Request (ping) packets to the target. The target must respond with ICMP Echo Reply, consuming CPU and bandwidth. Mitigation includes rate-limiting ICMP traffic and disabling ICMP responses on critical systems.

An HTTP flood sends seemingly legitimate HTTP GET or POST requests to a web server, overwhelming its application layer. These attacks are harder to detect because they mimic normal traffic. Mitigation includes web application firewalls (WAFs), rate limiting per IP, and CAPTCHAs.

Amplification attacks exploit services that respond with large replies to small queries. The attacker sends a small request with a spoofed source IP (the victim's IP) to an open resolver. The resolver sends a large response to the victim, amplifying the traffic. For example, a DNS query of 60 bytes can generate a response of up to 4000 bytes (amplification factor ~70). NTP monlist requests can amplify by a factor of 556. Mitigation includes disabling open recursion on DNS servers, filtering spoofed traffic (BCP 38), and using rate limiting.

A man-in-the-middle attack occurs when an attacker intercepts communications between two parties without their knowledge. The attacker can eavesdrop, modify, or inject data. Common MITM techniques include ARP spoofing, DNS spoofing, and session hijacking.

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. In ARP spoofing, the attacker sends forged ARP replies to associate their MAC address with the IP address of a legitimate host (e.g., the default gateway). All traffic destined for that IP is then sent to the attacker's machine. The attacker can then forward the traffic to the real gateway (passive sniffing) or modify it before forwarding (active MITM). On a switch, this bypasses the normal MAC learning. Mitigation includes dynamic ARP inspection (DAI) on switches, ARP spoofing detection tools, and using static ARP entries for critical hosts.

DNS spoofing involves corrupting the DNS cache of a resolver so that it returns an incorrect IP address for a domain name. The attacker can redirect users to malicious websites. This can be done by intercepting DNS queries (MITM) or by exploiting vulnerabilities in DNS software. Mitigation includes DNSSEC (DNS Security Extensions) which digitally signs DNS records, and using trusted recursive resolvers.

As mentioned earlier, DNS amplification is a type of DDoS attack. The attacker sends a small DNS query with a spoofed source IP (the victim) to an open resolver. The resolver sends a large response to the victim. The exam may ask you to differentiate DNS spoofing (data corruption) from DNS amplification (traffic flooding).

A rogue DHCP server is an unauthorized DHCP server on a network that hands out incorrect IP configurations. It can assign a different default gateway or DNS server, leading to MITM attacks. For example, the rogue server might give out 192.168.1.100 as the gateway, which is actually the attacker's machine. The attacker can then intercept all traffic. Mitigation includes DHCP snooping on switches, which validates DHCP server messages and blocks unauthorized servers.

An evil twin is a rogue wireless access point that impersonates a legitimate one. It broadcasts the same SSID as a trusted network. When users connect, the attacker can capture credentials or perform MITM attacks. The evil twin often has a stronger signal to lure clients. Mitigation includes using WPA2-Enterprise with 802.1X (which authenticates the access point as well), verifying certificates, and using wireless intrusion prevention systems (WIPS).

Social engineering exploits human psychology rather than technical vulnerabilities. Common techniques include phishing (email), vishing (voice), smishing (SMS), tailgating (following someone into a secure area), and pretexting (creating a false scenario). The exam expects you to recognize these as attack vectors and know that security awareness training is the primary defense.

VLAN hopping is an attack where a host on one VLAN gains access to traffic on another VLAN. Two methods exist: switch spoofing (the attacker pretends to be a switch and negotiates a trunk link) and double tagging (the attacker adds two VLAN tags; the first is stripped by the first switch, and the second remains). Mitigation includes disabling Dynamic Trunking Protocol (DTP) on access ports, setting access ports to non-trunking, and using dedicated VLAN IDs for trunk links.

MAC flooding involves sending a large number of Ethernet frames with random source MAC addresses to a switch. This fills the switch's MAC address table, causing it to fail open (flood all traffic to all ports). The attacker can then sniff traffic. Mitigation includes port security (limiting the number of MAC addresses per port) and MAC address table size limits.

Ransomware is malware that encrypts files and demands payment for decryption. It often spreads via phishing emails or exploit kits. The exam focuses on prevention: backups, user education, and endpoint protection.

Common mitigation strategies include:

The exam may ask you to select the best mitigation for a given attack scenario.

Understanding these protocols helps in identifying attack vectors.

The N10-009 exam objectives for 4.1 include:

Questions often present a scenario and ask you to identify the attack or the best response. Be prepared to distinguish between similar attacks, e.g., ARP poisoning vs. DNS poisoning, or DoS vs. DDoS.

A large bank experiences a SYN flood attack targeting its customer-facing web portal. The attack originates from a botnet of thousands of compromised IoT devices. The bank's perimeter firewall begins to drop packets due to high connection table utilization, but legitimate customers also experience timeouts. The network team deploys a dedicated DDoS mitigation appliance that uses SYN cookies and rate limiting. They also work with their ISP to implement BGP Flowspec to drop traffic at the provider edge. After the attack, they implement a cloud-based DDoS protection service (e.g., Cloudflare, Akamai) that scrubs traffic before it reaches the bank's network. The key lesson: on-premises mitigation alone may be insufficient for volumetric attacks; a layered approach is essential.

A hospital's internal network is segmented into VLANs for medical devices, administrative systems, and guest Wi-Fi. An attacker gains physical access to a guest Wi-Fi access point and plugs in a laptop, launching an ARP spoofing attack against the medical devices VLAN. The attacker intercepts patient monitoring data, violating HIPAA. The hospital later implements Dynamic ARP Inspection (DAI) on all switches, combined with DHCP snooping to build a trusted database of IP-to-MAC bindings. They also enable port security to limit the number of MAC addresses per port. The incident highlights the need for layer 2 security controls even in segmented networks.

A university's residential network uses DHCP to assign IP addresses to student devices. A student sets up a rogue DHCP server in their dorm room, offering IP addresses with a malicious DNS server that redirects students to phishing sites. The university's network team detects the attack using DHCP snooping logs that show unauthorized DHCP offers. They configure DHCP snooping on all access switches, designating only the uplink ports to the DHCP server as trusted. They also deploy 802.1X authentication for wired ports to prevent unauthorized devices from connecting. The attack could have been prevented by enabling DHCP snooping from the start.