Network and Wireless Attacks
Key Takeaways
- Network attacks fail a trust assumption: traffic redirection, name resolution, address identity, availability, or a wireless trust boundary.
- On-path (man-in-the-middle) attacks intercept or alter traffic between parties; spoofing forges a trusted IP, MAC, or identity.
- DoS and DDoS exhaust a resource - bandwidth (volumetric), state tables (protocol), or application logic - and mitigation must sit at or before the exhausted point.
- Wireless attacks include evil twin, rogue AP, deauthentication, jamming, and WPS abuse; WPA3 and 802.1X harden access.
- Mitigations include segmentation, DNSSEC, dynamic ARP inspection, DHCP snooping, port security, secure protocols, and upstream DDoS scrubbing.
Ask What Trust Failed
Network-attack questions are really asking which trust assumption broke. Did the attacker redirect traffic, impersonate a system, flood a service, weaken wireless access, or trick name resolution? Identify that first, then the mitigation usually follows.
| Attack | What happens | Typical clue | Mitigation |
|---|---|---|---|
| On-path (MITM) | Attacker intercepts traffic between parties | Certificate warning, altered traffic | TLS validation, VPN, secure switching |
| ARP poisoning | Attacker maps their MAC to another's IP | Gateway MAC changes; local LAN only | Dynamic ARP inspection, static entries for critical hosts |
| DNS poisoning | Name resolves to a malicious address | Correct URL, wrong destination IP | DNSSEC, trusted resolvers, cache flushing |
| IP / MAC spoofing | Attacker forges an address identity | Traffic from impossible or duplicate address | ACLs, DHCP snooping, port security |
| DoS / DDoS | Service exhausted or unreachable | Traffic flood, resource saturation | Rate limiting, CDN/scrubbing, autoscaling |
| Replay | Captured valid data is resent | Duplicate valid request or token | Nonces, timestamps, session protection |
| SSL stripping | HTTPS downgraded to HTTP | Sensitive site loads over HTTP | HSTS, secure cookies, awareness |
| VLAN hopping | Attacker reaches another VLAN | Unexpected cross-VLAN traffic | Disable trunking on access ports, harden native VLAN |
Wireless Attack Map
A key distinction the exam loves: a rogue access point is unauthorized infrastructure plugged into your network, while an evil twin impersonates a known SSID to lure clients - same name, attacker's hardware.
| Wireless attack | Description | Defense |
|---|---|---|
| Evil twin | Fake AP broadcasts a legitimate SSID | 802.1X with certificates, user verification |
| Rogue AP | Unauthorized AP attached to the LAN | Wireless scanning, NAC, switch port control |
| Deauthentication | Forged frames knock clients off Wi-Fi | WPA3 / 802.11w management-frame protection |
| Jamming | RF interference disrupts the band | Spectrum analysis, channel planning, physical response |
| Bluejacking | Unsolicited Bluetooth messages | Disable discovery, awareness |
| Bluesnarfing | Unauthorized Bluetooth data theft | Patch devices, disable unused Bluetooth |
| WPS PIN attack | Weak 8-digit WPS PIN brute-forced | Disable WPS entirely |
Note that WPA3 adds SAE (Simultaneous Authentication of Equals) to resist the offline dictionary attacks that WPA2's 4-way handshake allowed, and mandates management-frame protection that blunts deauthentication.
Worked Example: Name Resolution
A user types the correct banking URL but lands on a convincing fake. The certificate is invalid, and the DNS cache shows the bank's domain resolving to an unfamiliar IP. That points to DNS poisoning or local hosts-file tampering, not a password attack. The right response: flush the poisoned entry, verify resolver integrity, check the endpoint for compromise, and enforce DNSSEC or a trusted/encrypted resolver.
Worked Example: DDoS Triage
Mitigation depends entirely on where the resource is exhausted. A local firewall cannot help if the circuit is saturated before traffic ever reaches it.
| Symptom | Likely DDoS layer | Response |
|---|---|---|
| Upstream link saturated | Volumetric (Layer 3/4) | Provider scrubbing or CDN absorption |
| Firewall state table full | Protocol / state exhaustion | SYN cookies, rate limits, upstream filtering |
| Web CPU spikes from expensive searches | Application (Layer 7) | WAF rules, caching, request rate limits |
Common Traps
| Trap | Better exam reasoning |
|---|---|
| "Use encryption" for every network attack | Encryption aids confidentiality/integrity but does nothing against flooding or jamming |
| Confuse rogue AP and evil twin | Rogue AP is unauthorized infrastructure; evil twin impersonates a known SSID |
| Treat jamming as an authentication failure | Jamming is RF interference, needing spectrum or physical investigation |
| Place DDoS mitigation behind the bottleneck | Filtering must occur at or before the exhausted resource |
Layer-2 and Routing Trust Failures
Many SY0-701 network questions live at Layer 2, where there is little built-in trust. An attacker on the local segment can forge ARP replies, exhaust the DHCP pool, or flood the switch CAM table. Knowing the matching switch hardening control is exactly what the exam rewards.
| Local attack | Effect | Switch/control mitigation |
|---|---|---|
| MAC flooding | CAM table overflows; switch fails open and floods all ports | Port security, limit MACs per port |
| ARP poisoning | Redirects traffic by forging IP-to-MAC mappings | Dynamic ARP inspection (DAI) |
| DHCP starvation | Exhausts the address pool, denying clients | DHCP snooping, rate limiting |
| Rogue DHCP server | Hands clients a malicious gateway/DNS | DHCP snooping trusted ports |
| VLAN hopping (double-tag/switch-spoof) | Crosses VLAN boundaries | Disable DTP, set access ports, change native VLAN |
DNS-based attacks also deserve precision: DNS poisoning corrupts a resolver's cache so a correct name returns a malicious IP, while domain hijacking and typosquatting trick the user before resolution even matters. DNSSEC signs records so a resolver can validate authenticity, and encrypted transports (DoH/DoT) protect the query in transit but do not by themselves prove record integrity.
Quick Drill
(1) Cafe users join "CorpWiFi" and type credentials into a captive portal - evil twin. (2) The default-gateway IP suddenly maps to a new MAC on the LAN - ARP poisoning. (3) A public API gets millions of valid-looking search requests per minute - application-layer DDoS. (4) Correct hostnames resolve to attacker addresses - DNS poisoning or resolver compromise. (5) The switch suddenly floods all frames to every port after a burst of unknown MACs - MAC flooding; enable port security.
Users in a coffee shop connect to a wireless network broadcasting the same SSID as their corporate Wi-Fi and enter credentials. What attack is this?
A web application is unreachable because its upstream internet circuit is fully saturated with traffic. Which mitigation is most appropriate?
Which controls help reduce LAN spoofing and address-redirection attacks? Select two.
Select all that apply