Network Attacks and Scenario Cues

Network Attacks and Their Cues

N10-009 attack questions describe symptoms first: user complaints, switch-table behavior, odd DHCP leases, wrong DNS answers, duplicate SSIDs, or packet captures. The fastest way to name the attack is to ask what changed and which layer it lives on.

Availability Attacks

DDoS mitigation includes upstream filtering, scrubbing centers, CDN/WAF services, rate limiting, anycast, capacity planning, and provider runbooks. A local firewall rule cannot help once the Internet circuit itself is saturated upstream.

Layer 2 and Local Network Attacks

Layer 2 defenses: disable unused ports, set user ports to access mode, restrict allowed VLANs on trunks, harden the native VLAN, enable port security, DHCP snooping, dynamic ARP inspection (DAI), IP source guard, and 802.1X.

DNS and Wireless Attacks

Encrypted HTTPS connections blunt some DNS-redirection damage because certificate validation warns when a hostname does not match. That does not make DNS attacks harmless: attackers still redirect to lookalike domains, harvest clear-text traffic, or simply deny access.

Social Engineering

Social engineering manipulates people into unsafe actions. In network scenarios an attacker might call the help desk for a reset, send a phishing link to a fake VPN portal, drop a malicious QR code in a lobby, or tailgate into a wiring closet.

Worked Example: Reading an On-Path Capture

A user reports that a banking session showed a certificate warning. A packet capture shows the gateway's IP (192.168.1.1) suddenly associated with a workstation's MAC address, and that workstation forwarding the user's traffic on to the real gateway. This is the classic ARP-poisoning on-path attack: the attacker gratuitously announced "192.168.1.1 is at my MAC," so the victim sends gateway-bound frames to the attacker, who relays them. The certificate warning is the tell that traffic is being intercepted by something the legitimate server's certificate does not cover.

The fix on the exam is dynamic ARP inspection tied to DHCP snooping bindings, which drops the forged ARP replies before they reach the victim.

Distinguishing Look-Alike Attacks

The exam loves to pit similar attacks against each other, so anchor each to the layer it operates on:

• ARP poisoning vs. DNS poisoning: ARP corrupts the local Layer 2 IP-to-MAC table; DNS corrupts name resolution at Layer 7. If the victim reaches the right IP but the wrong MAC, it is ARP; if a correct hostname returns a wrong IP, it is DNS.
• Rogue DHCP vs. rogue DNS: a rogue DHCP server changes the gateway, mask, and DNS that clients are handed at lease time; a rogue DNS server only changes where names resolve. Wrong gateway plus wrong DNS together points to rogue DHCP.
• Evil twin vs. deauth: the evil twin is the fake AP itself; deauthentication frames are the technique that kicks clients off the real AP so they roam to the twin. They are often described together.
• DoS vs. DDoS vs. amplification: one source is DoS; many sources is DDoS; small spoofed requests yielding huge responses is amplification, a force-multiplier for DDoS.

Common Traps

• ARP poisoning affects IP-to-MAC mapping; DNS poisoning affects name-to-IP resolution.
• MAC flooding targets the switch CAM table, not the IP routing table.
• Rogue DHCP causes DNS and gateway symptoms even when the real DHCP server is healthy.
• An evil twin can copy a familiar SSID; the name alone never proves legitimacy.
• A certificate warning is a symptom of interception, not proof of which attack; correlate it with ARP, DNS, or wireless evidence.
• Volumetric DDoS often needs ISP or cloud coordination once the link is saturated.