This chapter covers network-based attacks, a critical topic for the SY0-701 exam under Objective 2.3 (Given a scenario, analyze potential indicators associated with network attacks). You will learn the mechanisms of common attacks like DDoS, ARP spoofing, DNS poisoning, and man-in-the-middle, along with their indicators and mitigation techniques. Understanding these attacks is essential for both the exam and real-world network defense, as they form the core of threat analysis and incident response.
Jump to a section
Imagine a bank with multiple layers of security: a guard at the door, a vault with a combination lock, and an alarm system. An attacker casing the joint (reconnaissance) might note which guard is distracted at shift change (vulnerability scanning). To break in, they could pick the lock (exploit a software bug), use a stolen keycard (credential theft), or tunnel in from the sewer (VPN/encrypted tunnel). Once inside, they might move laterally through the employee break room (pivoting), disable the alarm (privilege escalation), and stuff cash into bags (data exfiltration). The bank's defense-in-depth mirrors network security: firewalls, IDS/IPS, segmentation, and monitoring. Just as a bank uses multiple locks and cameras, a network uses layered controls. An attacker who bypasses one layer still faces others. The analogy is mechanistic: each step in a bank heist maps to a phase in a network attack (recon, weaponization, delivery, exploitation, installation, C2, actions on objectives). Understanding this kill chain helps defenders anticipate and block each step.
What Are Network-Based Attacks?
Network-based attacks exploit vulnerabilities in network protocols, services, or configurations to compromise confidentiality, integrity, or availability. They target the communication layer between systems, often without direct user interaction. The SY0-701 exam focuses on attack types, indicators, and mitigations.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
A DoS attack overwhelms a target with traffic, making it unavailable to legitimate users. DDoS uses multiple compromised systems (botnet) to amplify the attack. Common types: - Volumetric: Floods bandwidth (e.g., UDP floods, ICMP floods). Example: DNS amplification uses open resolvers to send large responses to a spoofed victim IP. - Protocol: Exploits protocol weaknesses (e.g., SYN flood, Ping of Death). SYN flood sends many TCP SYN packets without completing the handshake, exhausting server resources. - Application Layer: Targets web servers (e.g., HTTP flood, Slowloris). Slowloris sends partial HTTP requests, keeping connections open.
Indicators: Unusual traffic spikes, high CPU/memory usage, connection timeouts. Tools like tcpdump or Wireshark show many SYN packets with no ACK.
Mitigation: Rate limiting, firewalls, IDS/IPS, load balancers, and DDoS protection services (e.g., AWS Shield). SYN cookies mitigate SYN floods by encoding connection state in the SYN-ACK.
Man-in-the-Middle (MITM)
MITM attacks intercept and alter communication between two parties without their knowledge. Attackers position themselves in the data path. Common techniques:
- ARP Spoofing: Attacker sends forged ARP replies linking their MAC to the victim's IP, redirecting traffic. Example: arpspoof -i eth0 -t 192.168.1.10 192.168.1.1 intercepts traffic between host and gateway.
- DNS Spoofing/Poisoning: Attacker corrupts DNS cache to redirect users to malicious sites. Example: DNS cache poisoning inserts fake A records into a resolver's cache.
- SSL Stripping: Downgrades HTTPS to HTTP by modifying the initial request. Tools like sslstrip rewrite HTTPS links to HTTP.
- Session Hijacking: Steals session cookies to impersonate a user. Example: Firesheep captured unencrypted cookies on public Wi-Fi.
Indicators: ARP table mismatches (e.g., two IPs with same MAC), unexpected certificate warnings, HTTP instead of HTTPS. Use arp -a to check ARP cache.
Mitigation: Use encryption (HTTPS, SSH), enable DNSSEC, implement port security (DHCP snooping, dynamic ARP inspection), and use VPNs. For ARP spoofing, static ARP entries or xarp can detect anomalies.
DNS Attacks
DNS attacks target the Domain Name System to redirect traffic or disrupt services. - DNS Tunneling: Encodes data in DNS queries/responses to bypass firewalls. Tools like iodine create a tunnel over DNS. - DNS Amplification: DDoS variant using open resolvers to flood a victim. - DNS Cache Poisoning: Inserting false records into a resolver's cache. CVE-2008-1447 (Kaminsky bug) allowed poisoning by predicting transaction IDs.
Mitigation: Restrict recursive queries, use DNSSEC (validates responses with digital signatures), and implement response rate limiting (RRL).
Session Hijacking and Spoofing
Attackers steal or predict session tokens to impersonate a user. Methods: - Session Sidejacking: Sniffing unencrypted traffic to capture cookies (e.g., over HTTP). - Session Fixation: Forcing a known session ID on a user (e.g., via URL parameter). - XSS: Stealing cookies via JavaScript injected into a web page.
Indicators: Unusual session activity, multiple logins from different IPs, unexpected session timeouts.
Mitigation: Use HTTPS, set Secure and HttpOnly flags on cookies, regenerate session IDs after login, and implement session expiration.
Replay Attacks
Attackers capture valid data transmissions and retransmit them to impersonate the sender. Example: Capturing an authentication token and reusing it to gain access.
Mitigation: Use timestamps, nonces (number used once), and sequence numbers. Protocols like Kerberos include timestamps to prevent replay. IPsec uses anti-replay windows.
On-Path Attacks (Passive/Active)
Passive: Eavesdropping on network traffic (sniffing). Tools: Wireshark, tcpdump. Mitigation: Encryption (TLS, IPsec).
Active: Intercepting and modifying traffic (MITM). Mitigation: Strong authentication, integrity checks.
VLAN Hopping
Attackers gain access to traffic on other VLANs by exploiting switch configuration. - Switch Spoofing: Attacker pretends to be a switch using DTP (Dynamic Trunking Protocol). If the switch port is set to dynamic desirable/auto, the attacker negotiates a trunk link and accesses all VLANs. - Double Tagging: Attacker sends a frame with two 802.1Q tags. The first tag (native VLAN) is removed by the first switch, exposing the second tag, allowing the frame to reach a different VLAN.
Mitigation: Disable DTP (set ports to access mode), use dedicated trunk ports, and change native VLAN to an unused ID.
Command and Tool Examples
ARP spoofing: arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
SYN flood: hping3 -S --flood -V -p 80 192.168.1.100
DNS amplification test: dig @8.8.8.8 ANY isc.org (large response)
Check ARP table: arp -a
Detect ARP spoofing: arpwatch monitors ARP changes
Summary of Indicators
Network baseline changes: Sudden increase in traffic.
Protocol anomalies: Excessive SYN packets, fragmented packets.
Authentication failures: Repeated login attempts.
Unexpected DNS responses: Mismatched IPs.
ARP cache inconsistencies: Multiple MACs for one IP.
For the exam, remember the attack mechanisms, tools, and mitigations. Focus on distinguishing between passive and active attacks, and know which protocols are vulnerable.
Reconnaissance and Target Selection
The attacker identifies a target network and gathers information. They may use passive methods like WHOIS lookups or active scanning with Nmap to discover live hosts and open ports. For an ARP spoofing attack, they first identify the gateway and victim IP addresses. Tools like `arp-scan` list local network devices. The attacker also determines if the network is switched or has port security. Logs at this stage may show unusual scan patterns (e.g., many ICMP requests). The goal is to find a vulnerable entry point.
Weaponization and Delivery
The attacker selects the attack tool and prepares it. For ARP spoofing, they use `arpspoof` or `ettercap`. For a SYN flood, they use `hping3` or `LOIC`. The tool is configured with target IPs and ports. The attacker may also craft malicious packets (e.g., spoofed source IP for amplification). At this stage, no malicious traffic has been sent yet, but the attacker has the capability ready. Defenders might see the attacker downloading or compiling tools.
Exploitation/Injection
The attacker launches the attack. For ARP spoofing, they send forged ARP replies to the victim and gateway, poisoning their ARP caches. The victim's traffic now flows through the attacker. For a SYN flood, the attacker sends a stream of SYN packets with spoofed source IPs. The target server allocates resources for each half-open connection. Indicators: ARP cache changes (use `arp -a` to see), high number of SYN packets without ACK (Wireshark filter: `tcp.flags.syn==1 and tcp.flags.ack==0`).
Establishment of Foothold
Once the attack is successful, the attacker gains control over traffic or resources. In MITM, they can now intercept, modify, or drop packets. For session hijacking, they capture session cookies and impersonate the victim. The attacker may set up a listener to capture credentials (e.g., `dsniff` or `ettercap` plugins). Logs may show unexpected TCP resets or retransmissions. The attacker might also install backdoors for persistent access.
Actions on Objectives
The attacker achieves their goal: data exfiltration, credential theft, or service disruption. For example, they steal login credentials from intercepted HTTP traffic. They may also launch a secondary attack (e.g., using stolen credentials to access a database). Indicators: unusual outbound traffic, large data transfers, or authentication logs showing logins from the attacker's IP. The defender must isolate the compromised host and reset credentials. Forensic analysis of pcap files reveals the attack sequence.
Scenario 1: ARP Spoofing in a Corporate Network
A SOC analyst notices multiple complaints about slow internet and intermittent connectivity. Using Wireshark, they see duplicate IP addresses in the ARP table. Running arp -a reveals that the gateway IP (192.168.1.1) has two MAC addresses. The analyst uses arpspoof -t 192.168.1.10 192.168.1.1 to test (in lab), confirming the attack. The correct response is to enable Dynamic ARP Inspection (DAI) on switches and configure port security. The mistake is to immediately block the attacker's MAC without identifying the true source, potentially blocking a legitimate user.
Scenario 2: DNS Amplification DDoS
A web server becomes unresponsive. Traffic analysis shows a massive number of DNS responses from many external IPs. The analyst checks the server's bandwidth usage and sees 10 Gbps of incoming traffic. Using tcpdump, they filter for UDP port 53 and see large DNS responses (e.g., > 4000 bytes) with source port 53. The source IPs are spoofed. The correct response is to contact the ISP for blackhole routing and implement rate limiting on DNS servers. A common mistake is to block all DNS traffic, which breaks legitimate resolution.
Scenario 3: Session Hijacking on Public Wi-Fi A user reports that their social media account was accessed from an unknown location. The incident response team finds that the user was on an unencrypted Wi-Fi network at a coffee shop. The attacker likely used a tool like Wireshark to capture the session cookie. The correct response is to force HTTPS on all sites and use VPNs. The mistake is to assume the user's password was guessed; the real issue is unencrypted session tokens.
What SY0-701 Tests Objective 2.3 requires you to analyze potential indicators of network attacks. The exam focuses on recognizing attack types from descriptions or logs. Key sub-objectives:
Identify DoS/DDoS indicators (traffic spikes, SYN floods, amplification).
Recognize MITM indicators (ARP table changes, certificate warnings).
Understand DNS attacks (poisoning, tunneling, amplification).
Know session hijacking and replay attacks.
Differentiate between passive and active on-path attacks.
Recall VLAN hopping techniques (switch spoofing, double tagging).
Common Wrong Answers 1. Choosing 'Smurf attack' instead of 'DNS amplification' – Both use spoofed IPs, but Smurf uses ICMP echo requests to broadcast addresses, while DNS amplification uses open resolvers. Candidates confuse them because both are amplification DDoS. Remember: Smurf = ICMP broadcast; DNS amp = DNS query to open resolver. 2. Selecting 'ARP poisoning' for a scenario describing slow internet – While ARP poisoning can cause slowness, the question might describe a DNS issue. Read carefully: if the scenario mentions 'wrong IP for a website', it's DNS poisoning. 3. Mixing up 'SYN flood' and 'Ping of Death' – SYN flood attacks TCP handshake; Ping of Death sends oversized ICMP packets. Both are DoS, but the mechanism differs. 4. Thinking 'SSL stripping' is a server-side vulnerability – It's a client-side MITM attack where the attacker downgrades HTTPS to HTTP between client and server.
Key Terms and Values
- Port numbers: DNS (53), HTTP (80), HTTPS (443), SNMP (161).
- Protocols: ARP, ICMP, TCP, UDP, DNS, DHCP.
- Tools: arpspoof, ettercap, hping3, nmap, wireshark, tcpdump.
- CVEs: CVE-2008-1447 (Kaminsky DNS poisoning).
- RFCs: RFC 1035 (DNS), RFC 792 (ICMP).
Trick Questions - 'Which attack uses a botnet to overwhelm a server?' – DDoS, not DoS. - 'Which attack requires physical access?' – Usually not; most network attacks are remote. Exception: Evil Twin (requires proximity). - 'Which attack is passive?' – Sniffing; active modifies traffic.
Decision Rule For scenario questions, identify the key indicator: if the symptom is 'slow network' and 'ARP table changes', it's ARP spoofing. If 'wrong website' and 'DNS', it's DNS poisoning. If 'high CPU' and 'many half-open connections', it's SYN flood. Eliminate answers that don't match the specific indicator.
DDoS attacks: volumetric (UDP floods), protocol (SYN flood), application (HTTP flood).
SYN flood uses spoofed IPs; mitigate with SYN cookies.
ARP spoofing poisons ARP cache; indicator: duplicate IP with different MAC.
DNS poisoning corrupts resolver cache; mitigate with DNSSEC.
Session hijacking steals cookies; use HTTPS and Secure/HttpOnly flags.
VLAN hopping: switch spoofing and double tagging; disable DTP and change native VLAN.
Replay attacks countered by timestamps and nonces.
On-path attacks: passive (sniffing) vs active (MITM).
These come up on the exam all the time. Here's how to tell them apart.
ARP Spoofing
Operates at Layer 2 (Data Link)
Targets ARP cache of hosts
Redirects traffic on local subnet
Mitigated by Dynamic ARP Inspection
Tool: arpspoof
DNS Spoofing
Operates at Layer 7 (Application)
Targets DNS resolver cache
Redirects traffic to malicious sites
Mitigated by DNSSEC
Tool: ettercap (DNS spoof plugin)
Mistake
ARP spoofing only works on wired networks.
Correct
ARP spoofing can also occur on wireless networks if the attacker is on the same subnet. The attacker sends forged ARP replies over Wi-Fi, just like Ethernet.
Mistake
A SYN flood can be mitigated by simply increasing the TCP backlog queue.
Correct
While increasing the backlog helps, it's not a complete solution. SYN cookies are more effective because they avoid allocating resources until the handshake completes.
Mistake
DNS cache poisoning is the same as DNS spoofing.
Correct
DNS cache poising corrupts the resolver's cache, affecting multiple users. DNS spoofing (or DNS forgery) is a targeted response to a single query. Both are MITM attacks but differ in scope.
Mistake
Session hijacking requires the attacker to be on the same network.
Correct
Not necessarily. Attackers can hijack sessions via XSS or malware that steals cookies, even from remote locations.
Mistake
VLAN hopping is prevented by using VLANs.
Correct
VLANs alone do not prevent hopping. Proper switch configuration (disable DTP, use dedicated trunk ports) is required. Attackers can still double-tag if the native VLAN is used.
A DoS (Denial-of-Service) attack originates from a single source, while a DDoS (Distributed Denial-of-Service) attack involves multiple compromised systems (botnet) to generate traffic. DDoS is harder to block because traffic comes from many IPs. For the exam, remember that DDoS uses a botnet and is more severe.
ARP spoofing sends forged ARP replies that associate the attacker's MAC address with the IP of a legitimate host (e.g., the gateway). Traffic intended for that IP is then sent to the attacker. Detection: use `arp -a` to check for duplicate IPs with different MACs, or use tools like `arpwatch` that log ARP changes.
DNS amplification is a DDoS attack that exploits open DNS resolvers. The attacker sends a small DNS query (e.g., ANY record) with a spoofed source IP (the victim). The resolver sends a large response (amplification factor up to 50x) to the victim. It's effective because the attacker's bandwidth is multiplied.
Switch spoofing: the attacker pretends to be a switch and negotiates a trunk link using DTP, gaining access to all VLANs. Double tagging: the attacker sends a frame with two 802.1Q tags; the first switch strips the outer tag (native VLAN), and the second tag routes the frame to a different VLAN. Switch spoofing requires DTP; double tagging exploits native VLAN.
A replay attack captures valid data (e.g., authentication token) and retransmits it to impersonate the sender. Prevention: include timestamps, nonces, or sequence numbers in the protocol. For example, Kerberos uses timestamps to detect replays. IPsec uses anti-replay windows.
SSL stripping is a MITM attack where the attacker intercepts the client's HTTPS request and downgrades it to HTTP. The attacker communicates with the client over HTTP and with the server over HTTPS, decrypting traffic in between. It works if the client initially requests HTTP and is redirected to HTTPS; the attacker intercepts the redirect. Mitigation: HSTS (HTTP Strict Transport Security) forces HTTPS.
Indicators include a high number of TCP SYN packets with no corresponding ACK (half-open connections), increased CPU/memory usage on the server, and connection timeouts. Tools like `netstat -s` show SYN_SENT/RECV states. Wireshark filter: `tcp.flags.syn==1 and tcp.flags.ack==0`.
You've just covered Network-Based Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?