Home β€Ί D4: Network Security β€Ί Network Attacks & Mitigations
Domain 4 Β· Lesson 6 of 6

Network Attacks & Mitigations

TαΊ₯n cΓ΄ng MαΊ‘ng & Biện phΓ‘p PhΓ²ng chα»‘ng

Comprehensive Attack Reference Table

For each attack, know: which OSI layer it targets, the mechanism, and the specific mitigation. These are high-frequency exam topics β€” memorize the layer-attack-mitigation triple for each.

Attack Layer Mechanism Primary Mitigation
SYN Flood L4 Sends massive TCP SYN packets without completing the 3-way handshake, exhausting the server's connection state table with half-open connections SYN cookies (server doesn't store state for unacknowledged SYNs), firewall rate limiting, stateful firewall connection limits
ARP Poisoning L2 Sends gratuitous ARP replies associating the attacker's MAC address with a legitimate IP, redirecting traffic through the attacker (LAN MITM) DAI (Dynamic ARP Inspection) on managed switches, static ARP entries for critical devices, 802.1X
VLAN Hopping L2 Double-tagging 802.1Q frames to escape attacker's VLAN, or exploiting DTP (Dynamic Trunking Protocol) to negotiate a trunk link and access all VLANs Disable DTP on all non-trunk ports, use a dedicated native VLAN ID not used for any user traffic, prune unused VLANs from trunks
DNS Poisoning L7 Inject malicious DNS records into a resolver's cache to redirect users to attacker-controlled IP addresses DNSSEC (signed DNS records), RPKI for BGP-level protection, randomized source ports and transaction IDs
DDoS (Volumetric) L3/L4 Overwhelm network bandwidth with massive volumes of traffic (UDP flood, ICMP flood, DNS amplification) using a botnet β€” traffic volume exceeds available bandwidth CloudFlare/Akamai/AWS Shield scrubbing centers (absorb at scale), anycast routing, ISP-level blackholing (RTBH)
DDoS (Application L7) L7 Overwhelm web application with HTTP requests that appear legitimate β€” Slowloris (slow headers), HTTP flood, credential stuffing bots WAF rate limiting, CAPTCHA challenges, bot detection (behavioral analysis), CDN caching to reduce origin load
Man-in-the-Middle Multi Attacker intercepts and optionally modifies traffic between two communicating parties β€” can be achieved via ARP poisoning (L2), rogue AP (L2), BGP hijack (L3), or SSL stripping (L7) TLS with certificate validation, mTLS, HSTS, certificate pinning, VPN for untrusted networks
IP Spoofing L3 Send packets with a forged source IP address to impersonate another host, bypass IP-based access controls, or amplify DDoS attacks BCP38 ingress filtering (ISP-level β€” block packets with source IPs not belonging to the originating network), anti-spoofing ACLs
BGP Hijacking L3 Routing Malicious or misconfigured router announces false BGP routes, attracting traffic destined for legitimate networks β€” can redirect internet traffic globally RPKI (Resource Public Key Infrastructure) β€” cryptographically signs BGP route announcements. BGP monitoring services (Cloudflare Radar, BGPmon).
SSL Stripping L7 MITM attacker intercepts HTTP redirect to HTTPS, serves HTTP to the client while maintaining HTTPS upstream β€” client unknowingly communicates in plaintext HSTS preloading (browser always uses HTTPS, refuses HTTP even before redirect), force HTTPS at load balancer
Pass the Hash L7 Auth Attacker extracts NTLM password hash from memory (using Mimikatz) and uses the hash directly to authenticate without knowing the plaintext password β€” hash IS the credential in NTLM Disable NTLM authentication, use Kerberos instead, Windows Credential Guard (protects hash in memory), least privilege

DoS vs DDoS β€” Key Differences

DoS (Denial of Service)
  • β€’ Single source β€” one attacker machine
  • β€’ Easier to block β€” just block that source IP
  • β€’ Limited by single machine's bandwidth
  • β€’ Attacker's machine may be detectable/traceable
DDoS (Distributed Denial of Service)
  • β€’ Thousands or millions of sources (botnet)
  • β€’ Cannot block by IP β€” traffic looks legitimate
  • β€’ Traffic volumes that overwhelm any single site
  • β€’ Requires upstream scrubbing (CloudFlare, Akamai)

Botnets

A botnet is a network of compromised devices (computers, IoT devices, routers) controlled by an attacker (botmaster) via a Command and Control (C2) infrastructure. Botnets are used for:

DDoS attacks
Spam campaigns
Crypto mining
Credential stuffing

SYN Cookies β€” How They Work

SYN cookies solve SYN flood by eliminating server state for unacknowledged connections:

Normal: Server receives SYN β†’ stores half-open connection in table β†’ table fills β†’ new connections rejected (DoS achieved)
SYN cookies: Server receives SYN β†’ computes cryptographic cookie as ISN (Initial Sequence Number) β†’ sends SYN-ACK β†’ stores NOTHING β†’ only completes handshake if valid ACK with cookie returns. Legitimate clients respond; spoofed SYNs (no real source) never return an ACK.

Key Terms

SYN Flood

Layer 4 DoS β€” exhausts server TCP connection table with half-open connections. Mitigated by SYN cookies.

SYN Cookies

Server-side mitigation β€” uses a cryptographic cookie as ISN so no state is stored for unacknowledged SYN connections.

ARP Poisoning

Layer 2 MITM attack β€” fake ARP replies redirect LAN traffic through attacker. Mitigated by DAI on switches.

DAI (Dynamic ARP Inspection)

Switch feature that validates ARP replies against DHCP snooping binding table. Drops spoofed ARP at Layer 2.

VLAN Hopping

Layer 2 attack β€” escape VLAN segmentation via double-tagging or DTP exploitation. Disable DTP to prevent.

DTP (Dynamic Trunking Protocol)

Cisco proprietary β€” allows switches to auto-negotiate trunk links. Disable on all non-trunk (access) ports to prevent VLAN hopping.

DDoS

Distributed Denial of Service β€” thousands of sources overwhelming a target. Requires upstream scrubbing (CloudFlare, Akamai).

BGP Hijacking

False BGP route announcements redirect internet traffic. Mitigated by RPKI β€” cryptographic signing of route origins.

RPKI

Resource Public Key Infrastructure β€” cryptographically binds IP prefixes to ASNs (Autonomous System Numbers) to validate BGP routes.

BCP38

RFC 2827 β€” ISP-level ingress filtering that blocks packets with source IPs that cannot legitimately originate from that network. Prevents IP spoofing and DDoS amplification.

Man-in-the-Middle

Attacker intercepts communication between two parties. Can be active (modifies data) or passive (eavesdrops). Mitigated by TLS/mTLS.

Pass the Hash

Use stolen NTLM hash directly as credential without cracking it. Disable NTLM; use Kerberos; deploy Credential Guard.

HSTS

HTTP Strict Transport Security β€” browser-enforced HTTPS. Prevents SSL stripping by refusing HTTP connections even before redirect.

Botnet

Network of compromised devices controlled via C2 infrastructure. Used for DDoS, spam, credential stuffing, crypto mining.

Exam Tips β€” Network Attacks
  1. SYN cookies: server doesn't store half-open connections. The cryptographic cookie in the SYN-ACK's ISN encodes the state β€” only extracted when a valid ACK returns. Legitimate clients respond; spoofed IP addresses cannot.
  2. ARP operates at Layer 2 β€” DAI mitigates at Layer 2. Both the attack and the control are at the Data Link layer. DAI requires DHCP snooping to be enabled first (the binding table is the source of truth).
  3. VLAN hopping requires DTP to be enabled β€” disable DTP on all access ports (switchport nonegotiate). Also: the native VLAN (untagged VLAN) must be a dedicated ID not used for any user or management traffic.
  4. HSTS prevents SSL stripping by telling the browser to ALWAYS use HTTPS for the domain for a specified period. The browser will refuse an HTTP connection even if an attacker removes the HTTPS redirect. HSTS preloading extends this to first-visit protection.
  5. DDoS mitigation: CloudFlare/Akamai are better than on-premises for volumetric attacks β€” they have terabit-scale scrubbing capacity and anycast routing to absorb attacks close to their source. On-premises appliances cannot absorb 100+ Gbps volumetric floods.
Platform C/Partner C Network Attack Defense
  • Volumetric DDoS: CloudFlare absorbs at edge before traffic reaches GCP. CloudFlare's scrubbing capacity is multi-terabit β€” no on-premises solution needed. Ensure CloudFlare "Under Attack Mode" is tested and understood by the team. Configure automatic mode activation via CloudFlare Workers or Firewall Rules triggered by traffic anomalies.
  • Application-layer DDoS (HTTP flood) on Partner C: CloudFlare WAF rate limiting (e.g., 100 requests/minute per IP to public endpoints). CAPTCHA challenge for suspicious request patterns. Bot Fight Mode enabled on CloudFlare. This is highest priority β€” Partner C has the most public exposure (PH market, consumer-facing loan application).
  • OTP brute-force (L7 application DoS): Rate limit: 5 OTP attempts per phone number per hour (sliding window in Redis). Implement account lockout after 10 failed OTPs across 24 hours. This is separate from WAF β€” enforced at application layer in Platform C API service.
  • Partner D B2B API β€” DDoS surface elimination: Fixed-IP allowlist at GCP firewall layer (only Partner D's registered IPs can reach the endpoint). All external IPs are hard-rejected at L3 before reaching the application. This eliminates virtually all external DDoS attack surface on the Partner D API endpoint.
  • SFTP (Partner D batch): Fixed-IP allowlist + certificate-based authentication. No password authentication. Rate limit concurrent sessions. Monitor for unexpected file upload volumes (anomaly detection).
  • SSL Stripping: All TS domains served via CloudFlare with HSTS enabled (max-age=31536000, includeSubDomains). Force HTTPS at CloudFlare edge. No HTTP-accessible endpoints.
  • Pass the Hash: TS engineers use GCP IAM with short-lived OAuth tokens (not NTLM). Production Vault uses Kubernetes ServiceAccount JWT tokens. No NTLM in the environment β€” but verify any Windows-based jump hosts or legacy systems in VPN path.

Practice Quiz β€” Network Attacks & Mitigations

Q1. How do SYN cookies defeat a SYN flood attack?

A. By increasing the TCP connection table size to absorb all SYN packets
B. By blocking all SYN packets from unknown IP addresses
C. By encoding connection state into the ISN so no state is stored for unacknowledged SYNs βœ“
D. By rate-limiting SYN packets at the firewall before they reach the server
SYN cookies make the server stateless during the handshake initiation. The server computes a cryptographic value as the Initial Sequence Number (ISN) in the SYN-ACK and stores nothing. Only when a valid ACK returns with the correct ISN is the connection state created. Spoofed SYNs (from non-existent sources) never return an ACK, so no state is ever created β€” the connection table cannot be exhausted.

Q2. ARP poisoning is best mitigated at Layer 2 by which control?

A. Stateful firewall with connection tracking
B. DAI (Dynamic ARP Inspection) on managed switches βœ“
C. HSTS enforcement on all web servers
D. IPSec ESP tunnel mode between all hosts
DAI (Dynamic ARP Inspection) is a Layer 2 control on managed switches that validates all ARP replies against the DHCP snooping binding table. ARP replies claiming IP-to-MAC mappings that are not in the binding table are dropped. This prevents ARP poisoning at the switch level β€” the correct layer for this attack.

Q3. VLAN hopping via DTP exploitation can be prevented by which specific configuration?

A. Enable VLAN pruning on all switch trunk ports
B. Use the same native VLAN ID as the management VLAN
C. Disable DTP on all non-trunk (access) ports βœ“
D. Enable BPDU guard on all uplink ports
DTP (Dynamic Trunking Protocol) allows switches to auto-negotiate trunk links. An attacker can exploit DTP on an access port to negotiate a trunk link, gaining access to all VLANs. Disabling DTP (switchport nonegotiate + switchport mode access) on all non-trunk ports prevents this. Additionally, the native VLAN should be a dedicated unused VLAN ID to prevent double-tagging attacks.

Q4. How does HSTS prevent SSL stripping attacks?

A. HSTS encrypts HTTP traffic to prevent interception
B. HSTS verifies the server's TLS certificate before connection
C. HSTS tells the browser to refuse HTTP connections entirely for the domain βœ“
D. HSTS pins the server's certificate hash in the browser
HSTS sends the header Strict-Transport-Security, which instructs the browser that for the specified max-age period, it must ONLY connect via HTTPS β€” refusing any HTTP connection attempt. Even if a MITM attacker removes the HTTPS redirect and serves an HTTP link, the browser will internally rewrite it to HTTPS before making the connection. HSTS preloading extends this to first-visit protection by including the domain in browsers' built-in HTTPS lists.

Q5. Why is DDoS generally harder to block than DoS?

A. DDoS uses encrypted traffic that cannot be inspected
B. DDoS always targets Layer 7, which cannot be rate-limited
C. DDoS traffic originates from many legitimate-looking IPs, making IP blocking ineffective βœ“
D. DDoS cannot be detected until the target is already unreachable
DoS comes from a single source β€” block that IP and the attack stops. DDoS comes from thousands or millions of distributed sources (a botnet) β€” each individual source sends a small amount of traffic that appears legitimate. Blocking individual IPs is like playing whack-a-mole. Only upstream scrubbing services (CloudFlare, Akamai) with massive bandwidth and anycast routing can absorb and filter DDoS traffic effectively.
Domain 4 Complete

You've Finished Domain 4: Network Security

6 lessons covering OSI layers, firewalls, VPN/TLS, wireless, email/DNS security, and network attacks. Review the key themes: match every attack to an OSI layer, and every control to its layer. Then move on to Domain 5: Identity & Access Management.

Continue to Domain 5: IAM β†’
← Lesson 05: Email & DNS Domain 5: IAM β†’