Network Attacks and Scenario Cues
Key Takeaways
- DoS and DDoS target availability by exhausting bandwidth, sessions, application resources, or infrastructure capacity.
- Layer 2 attacks include VLAN hopping, MAC flooding, ARP poisoning, rogue DHCP, and some on-path techniques.
- DNS poisoning and rogue DNS attacks can redirect users even when their devices appear connected normally.
- Evil twin access points and social engineering often target users instead of infrastructure weaknesses alone.
- Attack identification depends on symptoms, affected layer, logs, and packet behavior.
Network Attacks and Cues
Network attacks often reveal themselves through symptoms before the exact cause is known. Network+ scenarios may describe user complaints, switch table behavior, DHCP leases, DNS answers, wireless SSIDs, or packet captures. The fastest way to classify the attack is to ask what changed and which layer is involved.
Availability Attacks
| Attack | What happens | Common cue |
|---|---|---|
| DoS | One source disrupts service | Single host floods a web server |
| DDoS | Many sources disrupt service | Traffic arrives from many networks or botnet nodes |
| Resource exhaustion | CPU, memory, session table, or application pool fills | Firewall sessions max out or application stops responding |
| Amplification | Small requests trigger large responses toward victim | Large DNS, NTP, or UDP responses overwhelm target |
DDoS mitigation can include upstream filtering, scrubbing centers, CDN or WAF services, rate limiting, anycast, capacity planning, and runbooks with providers. A local firewall rule may not help if the Internet circuit is already saturated upstream.
Layer 2 and Local Network Attacks
| Attack | Mechanism | Symptom |
|---|---|---|
| VLAN hopping | Attacker reaches traffic in another VLAN through trunk misuse or double tagging | Host accesses VLAN it should not reach |
| MAC flooding | Switch CAM table is filled with bogus MAC addresses | Switch may flood frames like a hub |
| ARP poisoning | Attacker sends false IP-to-MAC mappings | Traffic passes through attacker or reaches wrong host |
| Rogue DHCP | Unauthorized DHCP server gives bad leases | Clients get wrong gateway, DNS, or subnet |
| On-path attack | Attacker intercepts or relays traffic between parties | Sessions are observed or modified in transit |
Layer 2 protections include disabling unused ports, access mode on user ports, limiting allowed VLANs on trunks, native VLAN hardening, port security, DHCP snooping, dynamic ARP inspection, IP source guard, and 802.1X.
DNS and Wireless Attacks
| Attack | What changes | Impact |
|---|---|---|
| DNS poisoning | DNS cache or answer is falsified | Users reach attacker-controlled addresses |
| Rogue DNS | Client is told to use an unauthorized DNS server | Name resolution can be monitored or redirected |
| Evil twin | Fake AP impersonates a legitimate SSID | Users connect to attacker wireless |
| Deauthentication abuse | Clients are forced off a wireless network | Users reconnect to attacker AP or lose service |
Encrypted web connections can reduce some damage from DNS redirection because certificate validation may warn users when the hostname does not match the destination. That does not make DNS attacks harmless. Attackers can still redirect to lookalike domains, capture clear-text traffic, or disrupt access.
Social Engineering
Social engineering manipulates people into taking unsafe actions. In network scenarios, attackers may call the help desk for a password reset, send a phishing message with a fake VPN portal, leave a malicious QR code near a conference room, or impersonate a technician to gain wiring closet access.
| Social technique | Network security angle |
|---|---|
| Phishing | Harvest VPN, SSO, or email credentials |
| Vishing | Voice call persuades help desk or user |
| Smishing | Text message links to fake login or MFA prompt |
| Tailgating | Unauthorized person enters a network or server room area |
| Impersonation | Attacker pretends to be vendor, employee, or support |
Common Traps
- ARP poisoning affects local IP-to-MAC mapping; DNS poisoning affects name-to-IP resolution.
- MAC flooding targets switch forwarding tables, not IP routing tables.
- Rogue DHCP can cause DNS and gateway symptoms even if the real DHCP server is healthy.
- Evil twin attacks can use a familiar SSID name; the name alone does not prove legitimacy.
- DDoS response may require ISP or cloud provider coordination, especially when bandwidth is saturated.
Clients suddenly receive DHCP leases with an unknown default gateway and DNS server. What attack or issue is most likely?
A switch begins flooding traffic after its MAC address table fills with thousands of bogus entries. Which attack does this describe?
Match each attack to its primary cue.
Match each item on the left with the correct item on the right