Network Attacks
Availability attacks: DoS and DDoS
A web service that handles a thousand customers fine but falls over when one attacker sends a million half-open connections is the textbook denial-of-service. A denial-of-service (DoS) attack aims at the third leg of the CIA triad, availability, by exhausting a resource so legitimate users cannot get through. A distributed denial-of-service (DDoS) spreads the same assault across many compromised hosts (a botnet) so that blocking one source address does nothing. RFC 4732[1] frames the problem as attackers consuming a victim's scarce resources, and NIST[2] defines DoS as preventing authorized access to resources or delaying time-critical operations. Read the next pages to tell which resource an attack drains and to reach for the defense that sits at that layer rather than the wrong one.
The three flood families
Most Network+ DoS scenarios fall into one of three shapes, and the answer hinges on which resource is being drained.
- Volumetric: raw traffic saturates the link's bandwidth (a UDP flood, an ICMP flood). The pipe fills before the server is even reached.
- Reflection: the attacker spoofs the victim's source IP and sends queries to third-party servers, which dutifully send their replies to the victim. The victim is buried under responses to requests it never made.
- Amplification: a reflection variant that picks protocols where a tiny request yields a large reply, so the attacker's bandwidth is multiplied. DNS and NTP are classic amplifiers because a small query returns a much larger answer.
A SYN flood is the connection-table classic: the attacker opens TCP handshakes but never completes them, so the server's half-open connection table fills and refuses new sessions.
Why the defense lives upstream
The instinct to "block it at the firewall" fails for a volumetric DDoS, because the firewall (or the internet link itself) is the very thing being saturated. Effective mitigation sits closer to the source: rate limiting and access control lists to drop obvious junk, anti-spoofing filtering at the network edge so reflection traffic cannot be launched, and a cloud-based scrubbing service that absorbs and cleans traffic before it reaches your link. The exam tell is scale: a single rule on a single box is the wrong answer for a distributed attack.
Layer 2 attacks on the switch fabric
Ethernet trusts whoever is plugged in, and that trust is exactly what these attacks abuse. They live at Layer 2, below routing and below most firewalls, so the controls are switch features, not perimeter devices. The unifying idea: each attack forges or floods one of the switch's own learning mechanisms, and each control re-imposes the trust the protocol never had.
MAC flooding
A switch learns which MAC address lives on which port and stores those mappings in its content-addressable memory (CAM) table. MAC flooding sends a storm of frames with bogus source MACs until the CAM table fills. A full table makes the switch "fail open": with nowhere to record new mappings it floods frames out every port like a hub, so the attacker now sees traffic meant for others. The control is port security, which caps how many MAC addresses a port may learn and shuts down or restricts the port when the limit is exceeded.
ARP poisoning (ARP spoofing)
ARP (RFC 826)[3] maps an IP address to a MAC address, and it has no authentication: a host believes any ARP reply it hears. In ARP poisoning the attacker sends forged replies claiming the gateway's IP belongs to the attacker's MAC, so victims send their traffic to the attacker first. That makes ARP poisoning a Layer 2 on-path (man-in-the-middle) attack, where the attacker can read or alter traffic in both directions (NIST[4]). The control is Dynamic ARP Inspection (DAI), which checks every ARP packet on untrusted ports against the trusted IP-to-MAC database and drops the forgeries. DAI builds that database from DHCP snooping, so the two are deployed together (Cisco[5]).
VLAN hopping
VLANs isolate broadcast domains, and VLAN hopping defeats that isolation to reach a VLAN a port should never touch. It comes in two forms. Switch spoofing: the attacker's port negotiates a trunk (via the Dynamic Trunking Protocol, DTP), and a trunk carries every VLAN, so the attacker now sees them all. Double-tagging: the attacker stamps a frame with two 802.1Q[6] tags; the first switch strips the outer tag (which matches the native VLAN) and forwards the still-tagged frame onto a trunk, where a second switch acts on the inner tag and delivers it into the target VLAN. Double-tagging works only because the attacker's access VLAN equals the trunk's native VLAN. The controls follow directly: disable DTP so ports never auto-trunk, set access ports to access mode explicitly, and move the native VLAN to an unused VLAN that no access port uses.
Service spoofing, rogue devices, and on-path attacks
Where Layer 2 attacks forge addresses, this family forges whole services and identities: a poisoned DNS answer, a rogue server that answers first, or a fake AP that clients trust. They all end the same way, with the attacker controlling traffic the victim believes is legitimate.
DNS poisoning (DNS spoofing)
A DNS resolver caches answers so it can reply quickly, and DNS cache poisoning injects a forged record into that cache so the resolver hands clients a malicious IP for a real hostname. Every client using that resolver is then steered to the attacker until the bad record expires. The control is DNSSEC, which digitally signs DNS records so a validating resolver can verify origin authenticity and integrity and reject forged answers (RFC 9364[7]). Note the scope: DNSSEC authenticates the data but does not encrypt it, so confidentiality of queries is a separate concern handled by DNS over TLS (RFC 7858[8]).
Rogue DHCP
A DHCP client picks from the DHCPOFFER messages it receives, and in practice it takes the first (fastest) offer to reach it (RFC 2131[9]), so a rogue DHCP server that answers faster than the real one can hand victims a malicious default gateway or DNS server, putting the attacker on-path. The control is DHCP snooping, a switch feature that marks only the port leading to the legitimate DHCP server as trusted and drops server-type DHCP messages (offers and acks) arriving on untrusted access ports.
Rogue AP and evil twin
A rogue access point is any unsanctioned AP attached to the network, whether a careless employee's gear or an attacker's. An evil twin is the wireless on-path attack proper: the attacker stands up an AP broadcasting a legitimate SSID, often with a stronger signal, so clients associate to it and route their traffic through the attacker. Detection and prevention use a wireless intrusion prevention system (WIPS) to spot unauthorized radios, plus 802.1X so only authenticated devices and users get onto the real network. MAC filtering is no defense, because an evil twin can spoof an approved MAC.
On-path (man-in-the-middle), the common thread
ARP poisoning, rogue DHCP, and evil twins are all routes to the same position: the on-path (man-in-the-middle) attacker sits between two parties and relays traffic while reading or altering it (NIST[4]). The control that survives all of them is end-to-end protection: mutual authentication and strong encryption (TLS, IPsec) mean that even traffic routed through an attacker cannot be read or silently changed.
Social engineering: attacking the human
The cheapest way past a firewall is to convince someone to open the door. Social engineering is deception that gets a person to reveal information or grant access by abusing trust (NIST[10]). No network control stops it, because it never touches the network on the way in; the defenses are people and process. The Network+ techniques are distinguished by how the trust is abused.
The techniques
- Phishing: fraudulent email (or a cloned web page) that lures the victim into clicking a link, opening an attachment, or entering credentials. NIST calls phishing "a digital form of social engineering" (NIST[11]). Variants narrow the aim or change the channel: spear phishing targets a named individual, vishing uses voice calls, smishing uses SMS.
- Dumpster diving: recovering sensitive information from discarded paper, drives, or hardware. The control is a clean-desk policy plus shredding and secure media disposal.
- Shoulder surfing: reading a password, PIN, or screen by looking over someone's shoulder or via a camera. The control is privacy screens, positioning, and PIN-entry shielding.
- Tailgating (piggybacking): following an authorized person through a secured door without badging in. The control is a mantrap (access-control vestibule), security guards, and a culture where holding the door for a stranger is not the polite default.
Exam framing
Note how each defense lives outside the network stack: awareness training, verification procedures, and physical controls. When a stem describes a person being tricked into giving up access, the answer is a human or physical control, not a firewall, IPS, or ACL. A useful contrast: spoofing forges an address or identity a machine trusts; social engineering forges a story a person trusts.
Exam-pattern recognition
Attack questions reward one move: read the stem, place the attack on the stack, and pick the control at that layer. The distractors are almost always controls for a different layer, so the wrong answers are plausible only if you misplace the attack.
Attack-to-control picker
- "Service unreachable, traffic from thousands of sources" -> DDoS; mitigate with upstream scrubbing / rate limiting, not an on-box firewall rule.
- "Small DNS/NTP queries produce a flood of large replies at the victim" -> amplification; the spoofed source IP is the tell.
- "Switch starts flooding all traffic out every port" -> MAC flooding filling the CAM table; answer port security.
- "Hosts see the wrong MAC for the gateway / duplicate-IP alarms" -> ARP poisoning (on-path); answer Dynamic ARP Inspection (which needs DHCP snooping).
- "Access-port host reaches another VLAN" -> VLAN hopping; answer disable DTP, change the native VLAN, force access mode.
- "Clients resolve a real site to a malicious IP" -> DNS poisoning; answer DNSSEC.
- "Clients get a malicious default gateway from an unexpected server" -> rogue DHCP; answer DHCP snooping.
- "Duplicate SSID with a strong signal captures clients" -> evil twin; answer WIPS + 802.1X (MAC filtering is the trap).
- "Employee tricked into revealing a password by phone" -> social engineering (vishing); answer security awareness training.
The sharpest distractor traps
- A stateful firewall offered against a volumetric DDoS: it is the bottleneck, not the cure.
- DAI without DHCP snooping: DAI has no binding table to validate against, so snooping must be enabled too.
- MAC filtering offered against an evil twin: a spoofed MAC walks right past it.
- TLS/VPN offered against phishing or tailgating: encryption protects packets, not people.
Attack, the layer it hits, and its primary control
| Attack | Layer / target | How it works | Primary control |
|---|---|---|---|
| DoS / DDoS | L3-L4 availability | Floods bandwidth or connection table, often via reflection/amplification | Rate limiting, ACLs, upstream scrubbing |
| MAC flooding | L2 switch | Overflows the CAM table so the switch floods all frames | Port security (limit MACs per port) |
| ARP poisoning / spoofing | L2 on-path | Forges ARP replies to redirect traffic through the attacker | Dynamic ARP Inspection + DHCP snooping |
| VLAN hopping | L2 trunking | Double-tagging or switch-spoofing to reach another VLAN | Disable DTP, change native VLAN, no trunk on access ports |
| DNS poisoning / spoofing | App service | Injects forged records into a resolver cache | DNSSEC validation |
| Rogue DHCP | App service | Answers DHCP first with a malicious gateway/DNS | DHCP snooping (trust only the real server port) |
| Rogue AP / evil twin | Wireless | Unsanctioned or cloned SSID lures clients to associate | WIPS detection, 802.1X authentication |
| Social engineering | Human | Phishing, tailgating, shoulder surfing, dumpster diving | Awareness training, verification, physical controls |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Match an attack to the control at the layer it abuses
Network+ attack items reduce to one move: name the attack, place it on the OSI stack, and the control usually sits at that same layer. A SYN flood is an L3/L4 availability attack answered upstream, ARP poisoning is an L2 on-path attack answered by Dynamic ARP Inspection, and DNS spoofing is a service attack answered by DNSSEC. The distractors are typically real controls for the wrong layer, so the only way to pick wrong is to misplace the attack.
- DoS and DDoS attack availability, the A of the CIA triad
A denial-of-service exhausts bandwidth, a connection table, or CPU so legitimate users are turned away, attacking availability rather than confidentiality or integrity. A distributed denial-of-service launches the same assault from a botnet of many sources, which is what makes blocking one source IP useless. Recognize it by symptom: the service is reachable for normal load but collapses under flood, with no data theft involved.
Trap Labeling a DDoS as an integrity or confidentiality attack; it degrades availability, and no data is read or altered.
- Mitigate DDoS upstream, because the firewall is the bottleneck
A volumetric DDoS saturates the link itself, so a stateful firewall or single ACL on the edge box is the very thing being overwhelmed and cannot help. The working controls live closer to the source: rate limiting, anti-spoofing filters at the network edge, and a cloud-based scrubbing service that absorbs and cleans traffic before it reaches your link. The exam tell is scale, a distributed attack is never solved by one rule on one device.
Trap Choosing a stateful firewall to stop a volumetric DDoS; it becomes the chokepoint the flood saturates rather than the cure.
- Reflection spoofs the victim's IP; amplification multiplies the reply
In a reflection attack the attacker sends queries to third-party servers with the victim's IP spoofed as the source, so every reply lands on the victim. Amplification is the reflection variant that picks protocols where a small request draws a large response, multiplying the attacker's bandwidth; DNS and NTP are classic amplifiers. The tell that separates these from a plain flood is the spoofed source address and the small-query, large-reply ratio.
Trap Calling reflected/amplified traffic a direct flood from the reflectors; the reflectors are unwitting relays, the spoofed victim IP is what aims the replies.
- A SYN flood drains the half-open connection table
A SYN flood opens many TCP handshakes by sending SYNs but never completing them with the final ACK, so the server's table of half-open connections fills and it refuses new sessions. It targets connection-state capacity rather than raw bandwidth, which is why a low-bandwidth attacker can still take a server offline. Defenses include SYN cookies and connection rate limiting that avoid pinning state until the handshake completes.
- MAC flooding overflows the CAM table so the switch fails open
A switch records which MAC lives on which port in its content-addressable memory (CAM) table; MAC flooding sends a storm of frames with bogus source MACs until that table is full. With nowhere to learn new mappings the switch fails open and floods frames out every port like a hub, letting the attacker see traffic meant for others. The control is port security, which limits how many MAC addresses a port may learn and shuts down or restricts the port past that cap.
Trap Reaching for DHCP snooping or DAI against MAC flooding; those defend ARP/DHCP, whereas a flooded CAM table is answered by port security.
3 questions test this
- After successfully performing a MAC flooding attack against a network switch, which of the following explains why the attacker can capture…
- After a MAC flooding attack successfully fills a switch's CAM table, which of the following best describes the resulting impact on network…
- A network administrator notices that a Layer 2 switch has started forwarding unicast frames to all ports instead of only the intended…
- ARP poisoning is a Layer 2 on-path attack, because ARP has no authentication
ARP maps an IP to a MAC and a host believes any reply it hears, so an attacker can send forged replies claiming the gateway's IP belongs to the attacker's MAC. Victims then send their traffic to the attacker first, which puts the attacker on-path (man-in-the-middle) to read or alter traffic in both directions. Symptoms include the wrong MAC for the gateway and duplicate-IP alarms.
4 questions test this
- A security analyst discovers that multiple hosts on a LAN segment have ARP table entries mapping the default gateway's IP address to an…
- An attacker on a local network sends unsolicited ARP replies that map the default gateway's IP address to the attacker's own MAC address.…
- An attacker on the local network uses ARP spoofing to intercept and read sensitive payroll data being transmitted between a workstation and…
- A security team discovers that an attacker on the local network is intercepting all traffic between users and the default gateway. The ARP…
- Dynamic ARP Inspection needs DHCP snooping to have a binding table
Dynamic ARP Inspection (DAI) stops ARP poisoning by checking every ARP packet on untrusted ports against a trusted IP-to-MAC binding table and dropping forgeries. DAI builds that table from DHCP snooping, so enabling DAI without DHCP snooping leaves it nothing to validate against. The two switch features are deployed together, which is itself a common exam point.
Trap Assuming DAI works standalone; with no DHCP snooping binding table there is no trusted database for DAI to check ARP packets against.
- VLAN double-tagging works only when the access VLAN equals the native VLAN
In a double-tagging VLAN hop the attacker stamps a frame with two 802.1Q tags; the first switch strips the outer tag because it matches the native VLAN and forwards the still-inner-tagged frame onto a trunk, where a second switch delivers it into the target VLAN. The attack is one-way and only succeeds because the attacker's access VLAN is the same as the trunk's native VLAN. The fix is to set the native VLAN to an unused VLAN that no access port belongs to.
Trap Believing double-tagging gives two-way access into the target VLAN; the inner-tagged frame reaches the victim but return traffic has no path back.
- Switch spoofing hops VLANs by negotiating a trunk via DTP
In switch spoofing the attacker's port negotiates a trunk link using the Dynamic Trunking Protocol (DTP), and because a trunk carries every VLAN the attacker then sees them all. The control is to disable DTP and explicitly configure access ports as access mode so they never auto-trunk. Hardening trunking this way, together with moving the native VLAN, closes both VLAN-hopping variants.
Trap Leaving ports on dynamic/auto trunking; an attacker negotiates a trunk via DTP and reaches every VLAN, so disabling DTP is the fix.
3 questions test this
- A network technician discovers that an unauthorized workstation has formed an 802.1Q trunk link with an access layer switch by exploiting…
- A network engineer wants to prevent VLAN hopping attacks caused by switch spoofing on user-facing ports. Which of the following is the most…
- A network administrator wants to prevent attackers from negotiating unauthorized trunk links on access switch ports. Which of the following…
- DNS cache poisoning is fixed by DNSSEC validation
DNS cache poisoning injects a forged record into a resolver's cache so it hands clients a malicious IP for a real hostname, steering every client of that resolver until the bad record expires. DNSSEC defends against it by digitally signing DNS records so a validating resolver can verify origin authenticity and integrity and reject forged answers. Note the scope: DNSSEC authenticates the data, it does not encrypt it, so query confidentiality is a separate problem.
Trap Assuming DNSSEC encrypts DNS traffic for privacy; it provides origin authentication and integrity only, while confidentiality needs DNS over TLS.
- A rogue DHCP server wins by answering first, so use DHCP snooping
DHCP clients accept the first lease offer they receive, so a rogue DHCP server that answers faster than the real one can hand victims a malicious default gateway or DNS server and become on-path. DHCP snooping is the switch control: it marks only the port toward the legitimate DHCP server as trusted and drops server-type DHCP messages (offers and acks) arriving on untrusted access ports. That same snooping binding table is what Dynamic ARP Inspection later relies on.
- An evil twin clones a legitimate SSID to capture clients
A rogue access point is any unsanctioned AP on the network; an evil twin is the specific wireless on-path attack where the attacker broadcasts a legitimate SSID, often at a stronger signal, so clients associate to it and route traffic through the attacker. Detection and prevention use a wireless intrusion prevention system (WIPS) to spot unauthorized radios plus 802.1X so only authenticated devices and users reach the real network. The defense targets authentication and detection, not the airwaves themselves.
Trap Choosing MAC filtering to stop an evil twin; the attacker spoofs an approved MAC, so only mutual authentication (802.1X/WPA3-Enterprise) and WIPS actually defend.
- ARP poisoning, rogue DHCP, and evil twins all lead to one on-path position
On-path (man-in-the-middle) is the position, not a single technique: the attacker sits between two parties and relays traffic while reading or altering it. ARP poisoning, a rogue DHCP gateway, and an evil twin are three different routes to that same position. The control that survives all of them is end-to-end encryption with mutual authentication (TLS, IPsec), because traffic routed through an attacker still cannot be read or silently changed.
- Social engineering attacks the person, so no network device stops it
Social engineering is deception that gets a person to reveal information or grant access by abusing trust, and it never touches the network on the way in, so firewalls, IPS, and ACLs do nothing against it. The defenses are people and process: security awareness training, verification procedures, and physical controls. When a stem describes a human being tricked into giving up access, the answer is a human or physical control.
Trap Offering TLS, a VPN, or a firewall against phishing or tailgating; those protect packets and ports, not the person the attacker is manipulating.
- Phishing is the email channel; spear/vishing/smishing change aim or medium
Phishing is fraudulent email, or a cloned web page, that lures a victim into clicking a link, opening an attachment, or entering credentials; NIST calls it a digital form of social engineering. Variants are distinguished by aim and channel: spear phishing targets a named individual, vishing uses voice calls, and smishing uses SMS. Match the stem on channel and targeting rather than treating them as interchangeable.
Trap Labeling a targeted phone-call scam as phishing; voice phishing is vishing, and a scam aimed at one named person is spear phishing.
- Dumpster diving, shoulder surfing, and tailgating each have a physical fix
These social-engineering techniques bypass technical controls physically: dumpster diving recovers sensitive data from discarded paper or hardware, shoulder surfing reads a screen or keypad over someone's shoulder, and tailgating (piggybacking) follows an authorized person through a secured door. Each fix is physical or procedural: shredding and secure disposal, privacy screens and shielded PIN entry, and a mantrap (access-control vestibule) with guards. The control never lives in the network stack.
Trap Treating tailgating as a network problem; following someone through a door is defeated by a mantrap and badge discipline, not by any switch or firewall setting.
- Spoofing forges what a machine trusts; social engineering forges what a person trusts
Spoofing fakes an address or identity a system relies on, such as a forged source IP, ARP reply, or SSID, so a machine is fooled. Social engineering fakes a story a person relies on, such as a convincing email or a confident stranger at the door. Use this split to choose the control family: spoofing is countered with technical validation (DAI, DNSSEC, 802.1X), social engineering with training and physical procedure.
Also tested in
References
- RFC 4732: Internet Denial-of-Service Considerations Whitepaper
- NIST CSRC Glossary: denial of service (DoS) Whitepaper
- RFC 826: An Ethernet Address Resolution Protocol (ARP) Whitepaper
- NIST CSRC Glossary: man-in-the-middle attack Whitepaper
- Cisco Catalyst 9300 Security Configuration Guide: Configuring Dynamic ARP Inspection
- IEEE 802.1Q: Bridges and Bridged Networks (VLAN tagging) Whitepaper
- RFC 9364: DNS Security Extensions (DNSSEC) Whitepaper
- RFC 7858: Specification for DNS over Transport Layer Security (TLS) Whitepaper
- RFC 2131: Dynamic Host Configuration Protocol (DHCP) Whitepaper
- NIST CSRC Glossary: social engineering Whitepaper
- NIST CSRC Glossary: phishing Whitepaper