Introduction
Understanding how common network attacks work at a conceptual level is essential for defenders: you can't detect or mitigate a threat you don't understand. This topic covers several widely seen categories of network attack — denial of service, man-in-the-middle, ARP spoofing, DNS spoofing, and port scanning — focusing on their mechanisms and, more importantly, how to recognize and defend against them.
Cricket analogy: A fielding captain who doesn't know what a reverse sweep or a doosra is can't set a field for it; similarly, defenders must know DoS, MITM, ARP/DNS spoofing and port scanning before they can set defensive fields against them.
Explanation
A Denial-of-Service (DoS) attack aims to make a service unavailable to legitimate users by overwhelming its resources; a Distributed Denial-of-Service (DDoS) attack does the same thing using many source machines at once, making it harder to block by simply filtering one source. A classic example is a SYN flood, where an attacker sends many TCP SYN packets without completing the three-way handshake, exhausting the server's table of half-open connections until it can no longer accept legitimate connections. Defenses include SYN cookies (which avoid allocating state until the handshake completes), rate limiting, and upstream traffic scrubbing/DDoS mitigation services. A Man-in-the-Middle (MITM) attack occurs when an attacker positions themselves between two communicating parties and can read or alter traffic without either party's knowledge, often by exploiting weaknesses at the network or transport layer rather than breaking encryption directly. Defenses include using strong, certificate-validated TLS end-to-end and being alert to certificate warnings. ARP spoofing (or ARP poisoning) works on a local network segment: the attacker sends forged ARP replies claiming their own MAC address corresponds to another device's IP address (often the default gateway), so victim devices update their ARP cache to send traffic intended for that IP to the attacker instead, enabling eavesdropping or a MITM position. Defenses include static ARP entries for critical hosts, dynamic ARP inspection on switches, and monitoring for duplicate/unexpected ARP replies. DNS spoofing (DNS cache poisoning) involves an attacker returning forged DNS responses that map a legitimate domain name to an attacker-controlled IP address, redirecting victims to malicious servers; defenses include DNSSEC (which cryptographically signs DNS responses), using trusted resolvers, and validating certificates on the destination (since a spoofed IP typically can't present a valid TLS certificate for the real domain). Port scanning is a reconnaissance technique where an attacker probes a range of ports on a target to discover which services are open and potentially vulnerable — it is not itself a breach, but frequently a precursor to one; defenses include closing unused ports, using firewalls to restrict access, and intrusion detection systems that flag scanning patterns.
Cricket analogy: A SYN flood is like a bowler faking run-ups without ever bowling, leaving the umpire's ball-tally table stuck on half-deliveries until it can't process real overs. ARP spoofing is like a substitute fielder impersonating the wicketkeeper's calls, tricking the team into throwing to the wrong man.
Example
# Conceptual illustration: legitimate vs. poisoned ARP cache entries
arp_cache_normal = {
"192.168.1.1": "AA:BB:CC:00:00:01", # real gateway MAC
}
arp_cache_after_spoofing = {
"192.168.1.1": "DE:AD:BE:EF:00:99", # attacker's MAC, impersonating the gateway
}
def detect_arp_anomaly(seen_mappings, ip, new_mac):
known_mac = seen_mappings.get(ip)
if known_mac and known_mac != new_mac:
print(f"WARNING: ARP mapping for {ip} changed from {known_mac} to {new_mac}")
seen_mappings[ip] = new_mac
seen = {"192.168.1.1": "AA:BB:CC:00:00:01"}
detect_arp_anomaly(seen, "192.168.1.1", "DE:AD:BE:EF:00:99")Analysis
A pattern across these attacks is that they exploit a gap between trust and verification: ARP has no built-in authentication of replies, DNS (without DNSSEC) has no cryptographic guarantee that a response is genuine, and TCP's connection setup allocates server resources before verifying the client is genuine. Effective defenses generally add a missing verification step — cryptographic signing (DNSSEC, TLS certificates), state-minimizing techniques (SYN cookies), or anomaly detection (watching for ARP mapping changes or scanning patterns) — rather than trying to block 'bad' traffic outright, since attack traffic is often structurally identical to legitimate traffic until this verification step is added.
Cricket analogy: Just as a scorer should verify a boundary with the third umpire's replay rather than trust the fielder's word, these defenses add a missing verification step, like DNSSEC or SYN cookies, instead of just banning suspicious-looking deliveries outright.
Key Takeaways
- A SYN flood (a form of DoS/DDoS) exhausts a server's half-open connection state; SYN cookies and rate limiting mitigate it.
- ARP spoofing poisons a local ARP cache to redirect traffic, enabling MITM; static ARP entries and dynamic ARP inspection help defend against it.
- DNS spoofing returns forged DNS responses to redirect victims to malicious servers; DNSSEC and certificate validation are key defenses.
- Port scanning is reconnaissance to find open/vulnerable services, typically preceding an attack rather than being one itself.
Practice what you learned
1. What does a SYN flood attack primarily exhaust on the target server?
2. How does ARP spoofing typically redirect a victim's traffic?
3. Which defense cryptographically signs DNS responses to prevent DNS spoofing?
4. What is the primary purpose of port scanning in the context of an attack?
Was this page helpful?
You May Also Like
Network Security Basics
Learn the core principles that keep networks safe: confidentiality, integrity, availability, and the controls that enforce them.
Firewalls Basics
Understand how packet-filtering, stateful, and application-layer firewalls inspect traffic differently to enforce security policy.
DNS: The Domain Name System
How DNS translates human-friendly domain names into IP addresses through a distributed hierarchy of resolvers and servers.