cyber revision

Network attacks

Sniffing, spoofing, man-in-the-middle, DoS/DDoS and the local-network attacks that exploit trusting protocols.

~4 min read

Reconnaissance comes first

Before attacking a network, an adversary maps it. Scanning identifies live hosts, open ports and running services, and nmap is the standard tool (covered in CTF skills). Defensively, the lesson is that anything reachable will be found. Internet-facing services are scanned continuously by automated tools, so an exposed, unpatched service is discovered in hours.

Sniffing (eavesdropping)

Packet sniffing is capturing traffic as it crosses the network. On older hubbed networks every host saw all traffic. Modern switches send frames only to the intended port, so an attacker must first force traffic their way (see ARP spoofing) or get onto a span/mirror port. Tools: Wireshark (analysis), tcpdump (capture).

The defensive takeaway is blunt: anything sent in plaintext can be read by someone positioned on the path. This is the whole argument for encrypting data in transit. Sniffing a Telnet or HTTP session hands over credentials directly, whereas sniffing a TLS session yields ciphertext.

Spoofing

Spoofing is forging an identifier to impersonate something or someone:

  • IP spoofing: forging the source IP of a packet. Used to hide origin and to enable amplification DDoS (replies go to the spoofed victim).
  • MAC spoofing: changing a network card's hardware address to bypass MAC filtering or impersonate a device.
  • ARP spoofing: sending forged ARP replies so the victim associates the attacker's MAC with the gateway's IP, routing the victim's traffic through the attacker. The most common path to a local man-in-the-middle.
  • DNS spoofing: supplying false DNS answers so a victim resolves a legitimate name to an attacker's server.
  • Email spoofing: forging the sender of an email, the mainstay of phishing. Defended by SPF, DKIM and DMARC.

Man-in-the-middle (MITM)

In a man-in-the-middle (also called on-path) attack, the adversary secretly sits between two parties, relaying and possibly altering traffic while each side believes it's talking directly to the other. ARP spoofing on a LAN, a rogue Wi-Fi access point ("evil twin"), or a rogue DHCP server are common ways to achieve the position.

Once in the middle, the attacker can read plaintext, harvest credentials, and attempt SSL stripping, which downgrades a victim's HTTPS attempt to HTTP so the traffic becomes readable. The defences are the cryptographic ones from the crypto topic: TLS with valid certificate validation (stops the attacker impersonating the server), HSTS (forces HTTPS so stripping fails), and on the LAN, dynamic ARP inspection and port security.

Why MITM is the unifying threat: it's the practical reason confidentiality and integrity both need protecting in transit. Encryption alone stops reading; certificate-based authentication stops the attacker substituting themselves for the server.

Denial of service

A DoS attack aims at availability, making a service unusable rather than stealing from it. A DDoS (distributed) uses many sources at once, typically a botnet of compromised devices, which makes it far harder to filter and to trace.

Categories worth distinguishing:

  • Volumetric: sheer bandwidth (e.g. UDP floods). Often uses amplification/reflection: send a small spoofed-source query to a service (DNS, NTP, memcached) that replies with a much larger response aimed at the victim. The amplification factor can be hundreds-fold.
  • Protocol: exhausting connection state, e.g. a SYN flood filling the half-open connection table.
  • Application layer: low-bandwidth requests that are expensive to serve (e.g. repeatedly hitting a search or login endpoint), harder to distinguish from real users.

Defences: upstream scrubbing and CDN/anti-DDoS services, rate limiting, SYN cookies (handle the handshake without allocating state until it completes), and capacity/redundancy. You can't simply "patch" your way out of a volumetric DDoS. It's an arms race of capacity and filtering.

Wireless-specific attacks

  • Evil twin: a rogue access point mimicking a legitimate SSID so victims connect through the attacker.
  • Deauthentication: forging management frames to knock clients off a Wi-Fi network (a DoS, and a way to force reconnection for capture).
  • WEP/WPA cracking: WEP is trivially broken; WPA2 is vulnerable to offline cracking of weak pre-shared keys captured during the handshake; WPA3 strengthens this with the SAE handshake. Use WPA3 or WPA2 with a strong passphrase.

Defences in summary

The network-attack chapter resolves into a short list of countermeasures, each tied to a property:

  • Encrypt in transit (TLS, VPNs, SSH) → defeats sniffing.
  • Authenticate endpoints (certificates, mutual TLS) → defeats spoofing/MITM.
  • Segment and filter (firewalls, VLANs, zero trust) → limits reach and blast radius.
  • Harden the LAN (dynamic ARP inspection, DHCP snooping, port security, 802.1X) → defeats layer-2 spoofing.
  • Plan for availability (rate limiting, scrubbing, redundancy) → blunts DoS.

Quick recall

  • Sniffing reads plaintext on the path → encrypt in transit. Wireshark/tcpdump are the tools.
  • Spoofing forges identifiers (IP, MAC, ARP, DNS, email). ARP spoofing is the usual LAN MITM enabler.
  • MITM sits on-path; TLS + certificate validation + HSTS defeat it; SSL stripping is the downgrade to watch.
  • DoS/DDoS attacks availability; types are volumetric (often amplified), protocol (SYN flood), and application-layer.
  • Wireless: evil twins, deauth, and use WPA3 / strong WPA2.
PreviousNext