Network protocols were developed for cooperative environments and often lack authentication or integrity protections. Attackers exploit these assumptions to intercept, modify, or disrupt communication.

Link Layer Attacks (Layer 2)

Link-layer protocols operate entirely within the local network. Devices on the LAN are implicitly trusted, so an attacker with local access can exploit that trust.

CAM Overflow

Switches maintain a Content Addressable Memory (CAM) table that maps MAC addresses to specific switch ports. This allows the switch to forward unicast traffic privately rather than broadcasting it. CAM tables are finite.

In a CAM overflow attack, an attacker sends frames containing large numbers of fake MAC addresses. When the CAM table fills, legitimate entries age out and the switch begins flooding unknown-destination traffic out every port, exposing frames to anyone on the LAN.

Prevention
Managed switches support multiple defenses:

• Port security to limit MAC addresses per port

• Static or “sticky” MAC bindings

• Disable unused ports

• Monitoring for abnormal MAC learning rates

ARP Spoofing

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses but provides no authentication. Any host can send unsolicited ARP replies, and most operating systems accept these messages.

In ARP cache poisoning (also known as ARP spoofing), , the attacker sends forged ARP replies, claiming to be another device (often the gateway). Victims update their ARP cache and send traffic to the attacker, who can inspect or modify it.

Prevention:

• Switches with Dynamic ARP Inspection (DAI) verify ARP replies against known IP-MAC bindings (often learned through DHCP snooping)

• ARP monitoring tools

• Static ARP entries for critical devices.

VLAN Hopping

VLANs segment a switch into isolated broadcast domains. VLAN hopping allows an attacker to inject or receive frames on a VLAN they are not assigned to.

Two approaches are used to get content from other VLANs:

• Switch spoofing: The attacker pretends to be another switch and negotiates a trunk link, gaining access to multiple VLANs.

• Double tagging: The attacker sends frames with two VLAN tags. The first switch strips the outer tag, leaving the inner one to direct traffic into the target VLAN.

Prevention: Disable automatic trunk negotiation, manually configure trunk ports, tag the native VLAN, and place unused switch ports in isolated VLANs.

DHCP Attacks

DHCP (Dynamic Host Configuration Protocol) assigns IP addresses, default gateways, and DNS servers. Clients accept the first server reply.

Two common attacks:

• DHCP starvation: flooding the server with DHCP requests to exhaust the address pool. The goal is to deny service or prepare for a rogue server.

• Rogue DHCP server (also referred to as a DHCP spoofing attack): responding faster than the legitimate server. The goal is to give victims malicious DNS servers or a malicious default gateway, enabling full redirection or interception.

Prevention: Switches with DHCP snooping mark legitimate DHCP server ports as trusted and block DHCP responses on untrusted ports.

Network Layer Attacks (Layer 3)

The network layer routes packets between networks. Routers exchange routing information under the assumption that peers are honest.

IP Spoofing

IP spoofing involves forging the source IP address in outgoing packets. Attackers do this to evade identification, bypass simple filters, or craft reflection attacks.

Prevention: ISPs and enterprises should implement egress filtering, enforcing valid source prefixes (this is known as BCP 38-style filtering, but you don't have to know this).

Router Vulnerabilities

Routers maintain routing tables to determine where to send packets. If an attacker compromises a router, they can drop, reroute, or replicate large volumes of traffic.

Common router attacks include:

• Denial of Service against router CPU or memory

• Route table poisoning, injecting false or misleading routes

• Malware installation on router firmware

• Brute-forcing credentials or abusing insecure management interfaces

• Exploiting outdated firmware vulnerabilities

Prevention: Restrict administrative access, keep firmware updated, enforce strong authentication, and filter inbound routing updates.

BGP Hijacking

Border Gateway Protocol (BGP) connects networks known as Autonomous Systems (ASes). An Autonomous System is a set of IP networks under a single administrative domain (e.g., an ISP or a large organization).

ASes advertise IP prefixes: contiguous ranges of IP addresses they can route. Routers select routes based on these advertisements.

Because BGP does not validate prefix ownership, an AS can announce someone else’s prefix. Since routers prefer more specific prefixes (e.g., a /25 over a /24), attackers can redirect traffic at Internet scale.

Prevention:

RPKI (Resource Public Key Infrastructure) protects the origin of the route.

A Regional Internet Registry signs a certificate saying “Organization X owns this IP block.” Organization X signs a Route Origin Authorization (ROA) saying “AS Y is allowed to announce this block.” Routers that validate RPKI can reject unauthorized announcements.

BGPsec extends RPKI to validate the entire sequence of ASes in a route.

Each AS signs the route before forwarding it. The goal is to ensure no AS is added, removed, or modified. However, for BGPsec to work, every AS on the path must support BGPsec. Using it means routers must continuously process all digital signatures at line speed, imposing a significant computational burden on routers.

Transport Layer Attacks (TCP and UDP)

Transport protocols move data between applications.

TCP

Reliable, connection-oriented, ordered delivery. Uses sequence numbers and acknowledgments.

UDP

Unreliable, connectionless, no handshake, no sequence numbers.

Both of these protocols assume that end hosts behave honestly. Attackers exploit predictability in sequence numbers or lack of authentication.

TCP Session Hijacking

Early TCP implementations used predictable Initial Sequence Numbers (ISNs). An attacker who guessed the next sequence number could inject malicious packets into an existing session without seeing the traffic.

Prevention:

• Random ISNs prevent guessing sequence numbers.

• TLS prevents meaningful injection even if packets are forged since all content is encrypted and has integrity checks.

• TCP MD5 signatures authenticate each segment (mainly for BGP) through a MAC.

SYN Flooding

TCP allocates resources after receiving a SYN packet. In a SYN flood, attackers send many SYNs without completing the handshake, exhausting the server’s connection backlog.

Prevention:

• SYN cookies: store connection information in the server’s sequence number using a hash of the connection parameters and a secret key. Memory is allocated only after the ACK arrives.

• Rate limiting and firewalls that track connections can help.

TCP Reset Attacks

A forged RST packet with an acceptable sequence number forces an immediate connection teardown.

Prevention:

• Strict RST validation: accept only RSTs with sequence numbers extremely close to the expected value.

• TLS: hides sequence number state from attackers.

• TCP MD5: authenticates packets (used in BGP).

UDP Spoofing

UDP provides no handshake or sequence numbers, so attackers can forge source addresses effortlessly. This enables impersonation and reflection attacks.

Prevention:

• Network filtering to block spoofed packets.

• Application-level authentication.

DNS Attacks

DNS Basics

DNS resolves domain names to IP addresses. It depends on caching, unauthenticated replies, and a chain of delegations among authoritative servers.

DNS Pharming

Pharming redirects users to malicious sites even when they enter the correct domain name. This is a permanent change to the user's DNS setting or to the DNS resolver. Techniques include:

• Social engineering (“change your DNS settings to fix your Internet”)

• Malware modifying DNS settings or the hosts file

• Rogue DHCP giving victims malicious DNS servers

• Compromising DNS servers directly

Prevention: Use endpoint defenses, enforce DHCP snooping, validate certificates, and deploy DNSSEC where possible.

DNS Cache Poisoning

Resolvers cache DNS responses. Attackers attempt to inject forged replies by matching the resolver’s transaction ID and arriving before the legitimate server.

Resolvers cache DNS answers. Attackers race the legitimate server by sending fake replies with guessed transaction IDs.

If a fake response arrives first and matches the transaction ID, the resolver caches it.

An enhanced attack (the Kaminsky attack, but you don't need to know the name) involves:

• Querying many nonexistent subdomains

• Forcing the resolver to perform repeated lookups

• Injecting forged responses containing malicious additional records

If accepted, the resolver caches the incorrect records, redirecting all users querying that resolver.

Prevention:

• Random query IDs

• Randomize source UDP port

• 0x20 encoding (case randomization in queries)

• Issuing double DNS queries and checking for consistency

• Using TCP instead of UDP when possible

• Deploying DNSSEC. DNSSEC provides cryptographic validation of DNS responses and is the most robust defense.

• Resolvers should ignore unsolicited additional records.

DNSSEC

DNSSEC adds digital signatures to DNS records. Clients validate them using a chain of trust anchored at the root. DNSSEC prevents record tampering and cache poisoning but does not encrypt traffic. However, it's more CPU-intensive and creates longer responses.

DNS Rebinding

DNS rebinding tricks browsers into interacting with internal network services through an attacker-controlled domain.

Steps:

1. The victim visits an attacker-controlled site.

2. The site returns a DNS record with very short TTL (e.g., TTL = 1) to force repeated DNS requests.

3. JavaScript loads in the browser.

4. The next DNS lookup returns a private IP address.

5. The browser allows the request because the origin (scheme + host + port) is unchanged.

6. JavaScript can now interact with internal devices or APIs.

Prevention:

• Enforce minimum TTL values to ignore extremely short TTLs

• DNS pinning, refusing to switch IP addresses during a page session

• Reject DNS responses containing private or reserved IP addresses

Abandoned Domains (Sitting Ducks)

Some domains have broken DNS delegation (name servers that no longer exist).

If a DNS provider does not verify ownership, an attacker can “claim” such a domain and set new DNS records. Attackers can then serve malware or impersonate services.

Distributed Denial of Service (DDoS)

DDoS attacks overwhelm systems using massive amounts of traffic or by triggering expensive server operations.

Types of DDoS Attacks

• Volumetric attacks: The goal is to saturate the victim’s bandwidth with massive traffic (measured in bits per second). Examples include UDP floods and large packet floods.

• Packet-per-second attacks: Send enormous numbers of small packets to overload routers or firewalls. This attack targets forwarding performance, not bandwidth.

• Request-per-second application-layer) attacks: Flood application servers with HTTP or API requests, exhausting CPU or memory. Examples include HTTP floods or expensive API calls.

Asymmetric Attacks

Attackers send cheap requests that force the defender to do expensive work.

Examples: heavy database lookups, intensive parsing, ICMP error processing.

Reflection and Amplification

Reflection attacks spoof the victim’s IP address so third-party servers send replies to the victim. Amplification uses services where small requests yield disproportionately large responses.

Common amplification services:

• DNS open resolvers

• NTP (Network Time Protocol)

• CLDAP (Connectionless LDAP)

• SSDP (Simple Service Discovery Protocol)

• Memcached servers

• Some gaming or voice protocols

Botnets

Large sets of compromised devices, especially IoT systems, generate massive attack traffic. Botnets often use encrypted C2, fast-flux DNS, or domain-changing strategies.

Defenses

Network-level Defenses:

• Rate limiting

• Filtering and anti-spoofing

• Blackhole routing (drop all traffic that's going to a specific target)

• Scrubbing centers (services dedicated to ensuring clean traffic at large scale)

Application-level defenses:

• Web Application Firewalls (WAF): filter malicious HTTP patterns

• CAPTCHAs: separate humans from bots

• Content Delivery Networks (CDNs): absorb load at edge locations

• Throttling: slow requests per user/IP

• Graceful degradation: maintain minimal service

Key Themes in Network Security

• Many protocols were built for trust, not security.

• Attackers exploit resource asymmetry and lack of authentication.

• Spoofing enables redirection, amplification, and man-in-the-middle attacks.

• DNS and BGP attacks affect large populations simultaneously.

• IoT devices continue to fuel massive botnets.

• Defense requires layered mechanisms and cooperation across networks.

Terms you should know