Identifying common network attacks is a major component of the Network+ N10-009 Security domain. You must recognize attack names, their methods, which layer they target, and their prevention. Exam questions present attack scenarios and ask you to identify the attack type or select the appropriate mitigation. Mastering attack recognition enables both the Security domain questions and many troubleshooting scenarios.
Practice this topic
Reconnaissance: gathering information about a target before launching an attack. Passive reconnaissance uses publicly available information (OSINT — Open Source Intelligence): WHOIS, DNS records, LinkedIn, social media, Shodan. Active reconnaissance directly probes the target: port scanning (nmap), ping sweeps, OS fingerprinting — these generate traffic and can be detected.
Port scanning: tools like nmap identify which ports are open on a target system. An open port indicates a running service — a potential attack entry point. Mitigation: firewall rules, IDS signatures for port scan patterns.
DoS (Denial of Service): overwhelming a target with traffic or requests to make it unavailable. DDoS (Distributed DoS): coordinated attack from thousands of compromised systems (botnet). Flood attacks: SYN flood (half-open TCP connections exhaust server resources), ICMP flood (ping flood), UDP flood. Mitigation: rate limiting, upstream filtering, DDoS scrubbing services.
Man-in-the-Middle (MitM): attacker positions themselves between two communicating parties, intercepting and potentially modifying traffic. Methods: ARP poisoning (fake ARP replies redirect traffic), DNS poisoning (fake DNS responses), rogue APs (Evil Twin attack). Mitigation: encryption (TLS/HTTPS makes MitM visible), HTTPS Strict Transport Security, certificate pinning, ARP Dynamic Inspection.
IP spoofing: forging the source IP address of packets. Used in DoS amplification attacks (reflecting responses to the victim's spoofed IP). Mitigation: ingress filtering (ISPs block traffic from their customers with spoofed source IPs — BCP38), uRPF (Unicast Reverse Path Forwarding).
ARP poisoning (ARP spoofing): sending fake ARP replies to associate the attacker's MAC with a legitimate IP. Victims send traffic to the attacker. Mitigation: Dynamic ARP Inspection (DAI), static ARP entries for critical devices.
MAC flooding: flooding a switch with fake MAC addresses to fill the CAM table. When the table is full, the switch behaves like a hub — flooding all traffic to all ports. Mitigation: port security limiting MAC addresses per port.
VLAN hopping: accessing a VLAN the attacker shouldn't be on. Methods: switch spoofing (attacker's device acts as a switch and negotiates a trunk) or double-tagging (attacker sends frames with two 802.1Q tags — outer tag is stripped, inner tag routes to target VLAN). Mitigation: disable DTP, set explicit access mode, change native VLAN from VLAN 1.
Evil Twin (rogue AP): attacker sets up a wireless AP with the same SSID as a legitimate network. Clients connect to the attacker's AP thinking it's the real network. Mitigation: wireless intrusion detection, client verification (802.1X), HTTPS everywhere.
Deauthentication attack: sending forged 802.11 deauthentication frames to disconnect clients. Used as DoS or to force clients to reconnect to an Evil Twin. Mitigation: 802.11w (Management Frame Protection).
DoS attacks can only be prevented by having more bandwidth
While DDoS mitigation services (scrubbing centers) help, DoS attacks are also mitigated through rate limiting, SYN cookies, ingress filtering, anycast routing, and upstream provider filtering — not just buying more bandwidth
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
An attacker sends thousands of forged ARP replies to clients in a subnet, associating their MAC address with the default gateway's IP. Traffic from clients is now intercepted. Which attack is this?
Explanation: ARP poisoning (ARP spoofing) sends fake ARP replies associating the attacker's MAC address with a legitimate IP (the default gateway in this case). Clients update their ARP cache with the false mapping and send all their internet-bound traffic to the attacker's MAC — enabling a man-in-the-middle attack. Dynamic ARP Inspection (DAI) validates ARP packets against a DHCP snooping binding table to prevent this.
DoS (Denial of Service): a single attacker/system sends overwhelming traffic or exploits a vulnerability to make a target unavailable. Easier to block — source IP can be blocked. DDoS (Distributed Denial of Service): coordinated attack from thousands or millions of compromised systems (botnet). Extremely difficult to block — traffic comes from many legitimate-looking source IPs globally. DDoS mitigation requires scrubbing centers, anycast routing, and ISP cooperation.
Try free Common Attacks practice questions with explanations, topic links and progress tracking.