Network and Wireless Attacks
Key Takeaways
- Network attacks often target traffic redirection, name resolution, availability, or trust boundaries.
- On-path attacks intercept or alter traffic between parties; spoofing impersonates a trusted address, system, or identity.
- DoS and DDoS attacks exhaust capacity, state tables, application resources, or upstream bandwidth.
- Wireless attacks include evil twin, rogue access point, deauthentication, jamming, and weak protocol abuse.
- Mitigations include segmentation, secure protocols, DNS protections, switch security, WPA3 or 802.1X, monitoring, and DDoS controls.
Network and Wireless Attacks
Network attack questions ask what trust assumption failed. Did the attacker redirect traffic, impersonate a system, flood a service, weaken wireless access, or trick name resolution?
| Attack | What happens | Typical clue | Mitigation |
|---|---|---|---|
| On-path attack | Attacker intercepts traffic between parties | Certificate warning, altered traffic | TLS validation, VPN, secure switching |
| ARP poisoning | Attacker maps their MAC to another IP | Gateway MAC changes, local LAN issue | Dynamic ARP inspection, static entries for critical systems |
| DNS poisoning | Name resolves to malicious address | Correct URL, wrong destination | DNSSEC, secure resolvers, cache clearing |
| IP/MAC spoofing | Attacker forges address identity | Traffic from impossible or duplicate address | ACLs, DHCP snooping, switch port security |
| DoS/DDoS | Service is exhausted or unreachable | Traffic flood, high resource use | Rate limiting, CDN/scrubbing, autoscaling, filtering |
| Replay attack | Captured data is reused | Duplicate valid request or token | Nonces, timestamps, session protection |
| SSL stripping | HTTPS downgraded to HTTP | User sees HTTP for sensitive site | HSTS, user awareness, secure cookies |
| VLAN hopping | Attacker reaches another VLAN | Unexpected cross-VLAN traffic | Disable trunking on access ports, native VLAN hardening |
Wireless Attack Map
| Wireless attack | Description | Defensive clue |
|---|---|---|
| Evil twin | Fake AP mimics a legitimate network | Use 802.1X certificates and user verification |
| Rogue AP | Unauthorized AP connected to the network | Wireless scanning and NAC |
| Deauthentication | Forces clients off Wi-Fi | WPA3/management frame protection where supported |
| Jamming | Radio interference disrupts service | Spectrum analysis, channel planning, physical response |
| Bluejacking | Unwanted Bluetooth messages | Disable discovery, user awareness |
| Bluesnarfing | Unauthorized Bluetooth data access | Patch devices, disable unused Bluetooth |
| WPS PIN attack | Weak WPS enrollment abused | Disable WPS |
Worked Example: Name Resolution
A user enters the correct banking URL but reaches a convincing fake site. The certificate is invalid, and DNS cache shows the banking domain resolving to an unfamiliar IP. That points to DNS poisoning or local host file tampering, not a password attack by itself. The right response is to remove the poisoned entry, check resolver integrity, validate endpoint compromise, and ensure DNSSEC or trusted resolver controls where applicable.
Worked Example: DDoS Triage
| Symptom | More likely layer | Response |
|---|---|---|
| Upstream link saturated | Volumetric | Provider scrubbing or CDN |
| Firewall state table full | Protocol/state exhaustion | Rate limits, SYN protections, upstream filtering |
| Web CPU spikes from expensive search requests | Application layer | WAF rules, caching, rate limits |
The best DDoS mitigation depends on where resources are exhausted. A local firewall cannot help if the circuit is already saturated before traffic reaches it.
Common Traps
| Trap | Better exam reasoning |
|---|---|
| "Use encryption" for every network attack | Encryption helps confidentiality and integrity, but not all flooding or jamming |
| Confuse rogue AP and evil twin | Rogue AP is unauthorized infrastructure; evil twin impersonates a known SSID |
| Treat jamming as an authentication failure | Jamming is radio interference and may require spectrum or physical investigation |
| Place DDoS mitigation behind the bottleneck | Filtering must happen before or at the exhausted point |
Quick Drill
- Users connect to "CorpWiFi" in a cafe and enter credentials into a captive portal: evil twin.
- Local clients see the default gateway IP mapped to a new MAC address: ARP poisoning.
- A public API receives millions of valid-looking search requests per minute: application-layer DDoS.
- Correct hostnames resolve to attacker-controlled addresses: DNS poisoning or resolver compromise.
Users connect to a fake wireless network with the same SSID as the company network. What attack is this?
A web application is unavailable because the upstream internet circuit is saturated by traffic. Which mitigation is most appropriate?
Which controls help reduce LAN spoofing and redirection attacks? Select two.
Select all that apply