Domain 2: Threats, Vulnerabilities, and Mitigations Module 16 of 61

Network and Application Attacks

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations C — Malicious Activity and Mitigations 16–20 minutes

What the Exam Is Really Testing

Picture this: a user connects to "CoffeeShop_WiFi" and logs into their bank. An hour later, their account is drained. Or a web server gets flooded with millions of DNS responses it never asked for and goes offline. Or an attacker sends forged ARP replies and quietly intercepts every packet on the LAN.

These are all network attacks, and the exam will describe them exactly like that — as symptoms and behaviors, not by name.

Given a description of network behavior or an attack in progress, identify the attack type and understand how it exploits network protocols or wireless technologies.

This module covers a wide range. Focus on how each attack works at the protocol level, because matching the protocol behavior to the attack name is exactly what the exam demands.

Denial of Service Attacks

DoS (Denial of Service)

A DoS attack overwhelms a target system with traffic or requests, making it unavailable to legitimate users. A single attacker or a single source generates enough traffic to exhaust the target's resources — bandwidth, CPU, memory, or connection capacity.

DDoS (Distributed Denial of Service)

DDoS uses multiple compromised systems (a botnet) to flood a target simultaneously. Because the attack comes from thousands of sources, it is much harder to block than a single-source DoS.

DDoS variants:

  • Volumetric attacks — Flood bandwidth with massive traffic volume (UDP floods, ICMP floods)
  • Protocol attacks — Exhaust server resources by exploiting protocol weaknesses (SYN floods, Ping of Death)
  • Application layer attacks — Target specific application functions with seemingly legitimate requests (HTTP floods, Slowloris)

Amplified and Reflected Attacks

Amplification attacks exploit protocols that generate large responses to small requests. The attacker sends a small query with a spoofed source IP (the victim's address) to an amplifier service. The service sends its large response to the victim.

DNS amplification is the classic example: a 60-byte DNS query can generate a 4,000-byte response. The attacker multiplies their bandwidth by a factor of 50 or more.

NTP, SSDP, and memcached services are also commonly used as amplifiers.

DNS Attacks

DNS Poisoning

DNS poisoning corrupts a DNS server's cache with false records. When users query the poisoned server for a domain, they receive the attacker's IP address instead of the legitimate one, redirecting them to malicious sites without any visible indication.

DNS Spoofing

DNS spoofing intercepts DNS queries and returns forged responses before the legitimate DNS server can reply. The result is the same as poisoning — users are redirected — but the mechanism targets individual queries rather than the DNS cache.

DNSSEC (DNS Security Extensions) mitigates both attacks by cryptographically signing DNS records, allowing resolvers to verify authenticity.

Layer 2 and Network Attacks

ARP Poisoning

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. ARP poisoning sends forged ARP replies that associate the attacker's MAC address with the IP address of the default gateway or another target.

Once ARP tables are poisoned, all traffic intended for the gateway flows through the attacker's machine first, enabling traffic interception, modification, and credential capture.

Mitigation: Dynamic ARP Inspection (DAI), static ARP entries for critical infrastructure, and network segmentation.

Replay Attacks

Replay attacks capture legitimate network communications and retransmit them later to achieve unauthorized effects. An attacker captures an authentication exchange and replays it to gain access, or captures a financial transaction and replays it to duplicate the payment.

Mitigations include timestamps, nonces (one-time-use values), and session tokens that prevent reuse of captured data.

On-Path Attacks (Man-in-the-Middle / Man-in-the-Browser)

On-path attacks position the attacker between two communicating parties, intercepting and potentially modifying traffic in real time.

Man-in-the-Middle (MITM) intercepts network traffic between endpoints. The attacker establishes separate connections with each party, relaying and potentially altering messages. ARP poisoning and DNS spoofing are common methods for achieving an on-path position.

Man-in-the-Browser (MITB) operates within the victim's web browser through malware. It intercepts and modifies web transactions after TLS decryption, making it invisible to network-level security controls.

Credential Relay

Credential relay attacks intercept authentication credentials and relay them to another service in real time. Unlike replay attacks (which store and reuse later), relay attacks forward credentials immediately to authenticate to a different target.

NTLM relay is the most common example: the attacker intercepts an NTLM authentication attempt and relays it to a different server to gain access with the victim's credentials.

Privilege Escalation

Privilege escalation exploits vulnerabilities to gain higher access than intended:

  • Vertical escalation — A standard user gains administrator or root privileges
  • Horizontal escalation — A user accesses resources belonging to another user at the same privilege level

Privilege escalation often follows initial compromise. The attacker gains low-level access through one vulnerability and then escalates to full system control through a second vulnerability.

Wireless Attacks

Evil Twin

An evil twin creates a malicious Wi-Fi access point that mimics a legitimate network. The attacker replicates the SSID (network name) of a trusted network. Users connect to the fake AP, routing all their traffic through the attacker's system.

Evil twins are effective in public locations where users expect open Wi-Fi: coffee shops, airports, hotels.

Rogue Access Point

A rogue AP is an unauthorized access point connected to the corporate network. Unlike evil twins (which mimic existing networks), rogue APs may have unique SSIDs but provide unauthorized network access, bypassing security controls.

Employees sometimes install personal routers for convenience, unknowingly creating a backdoor into the corporate network.

Disassociation Attack

Disassociation attacks send forged management frames that disconnect clients from their wireless access point. This forces clients to reconnect, and during the reconnection process, the attacker can capture the authentication handshake or redirect clients to an evil twin.

WPA/WEP Cracking

WEP (Wired Equivalent Privacy) uses weak encryption that can be cracked in minutes. WPA/WPA2 with weak pre-shared keys are vulnerable to offline dictionary attacks if the four-way handshake is captured.

WPA3 addresses many of these weaknesses with Simultaneous Authentication of Equals (SAE), but WPA2 remains widely deployed and testable.

Jamming

Wireless jamming floods the radio frequency with noise, preventing legitimate devices from communicating. Jamming is a brute-force disruption that does not require protocol knowledge — it simply overwhelms the signal.

Bluetooth Attacks

Bluetooth-specific attacks include:

  • Bluejacking — Sending unsolicited messages to Bluetooth-enabled devices (nuisance, low severity)
  • Bluesnarfing — Unauthorized access to data on a Bluetooth device (contacts, messages, files)
  • Bluebugging — Taking control of a Bluetooth device to make calls, send messages, or access data

Pattern Recognition

When you see a network attack question:

  1. Is the attack about availability (DoS/DDoS), interception (on-path), or redirection (DNS/ARP)?
  2. Is it targeting a wired network, wireless network, or specific protocol?
  3. Does it involve real-time interception or stored replay?
  4. Is the attacker escalating from low access to high access?

Pattern shortcuts:

  • Service unavailable + massive traffic = DDoS
  • Users redirected to fake websites = DNS poisoning/spoofing
  • Traffic intercepted on LAN = ARP poisoning leading to MITM
  • Captured auth replayed later = replay attack
  • Captured auth forwarded in real time = credential relay
  • Fake Wi-Fi network with same name = evil twin
  • Clients forced to disconnect from Wi-Fi = disassociation attack

Trap Patterns

Common traps:

  • Confusing replay with relay. Replay stores and reuses later. Relay forwards in real time. The timing is the key distinction.
  • Confusing evil twin with rogue AP. Evil twins mimic existing legitimate networks. Rogue APs are unauthorized but may use different names. Evil twins target users; rogue APs create unauthorized access points.
  • Assuming DDoS is always volumetric. Application-layer DDoS uses low-volume, seemingly legitimate requests. The exam tests all three DDoS categories.
  • Forgetting that ARP poisoning enables MITM. ARP poisoning is the technique. MITM is the result. The exam may describe the ARP attack and ask about the resulting position.

Scenario Practice

Question 1

A security analyst notices that the organization's web server is receiving millions of DNS response packets it never requested. The server's bandwidth is completely saturated, making the website unavailable. Investigation shows the responses are coming from thousands of open DNS resolvers worldwide.

Which attack type is occurring?

Answer & reasoning

Answer: DNS amplification DDoS attack

The attacker sent small DNS queries to open resolvers with the victim's IP as the source address. The resolvers sent their large responses to the victim, amplifying the attack traffic. The millions of unsolicited DNS responses from worldwide sources confirm this is a distributed DNS amplification attack.

Question 2

An employee at a coffee shop connects to "CoffeeShop_WiFi" as usual. After connecting, they notice their banking website's SSL certificate shows a warning. They proceed anyway and enter their credentials. The next day, unauthorized transactions appear on their account.

Which attacks were involved?

Answer & reasoning

Answer: Evil twin attack enabling a man-in-the-middle attack

The attacker created a fake access point mimicking the coffee shop's legitimate Wi-Fi (evil twin). When the employee connected, all traffic routed through the attacker. The SSL certificate warning indicated the attacker was intercepting HTTPS traffic (MITM). The employee's credentials were captured when they dismissed the warning and logged in.

Question 3

A penetration tester on the internal network sends forged ARP replies to all hosts, associating their own MAC address with the default gateway's IP. Network traffic from all hosts on the subnet now flows through the penetration tester's machine before reaching the gateway.

Which attack technique is being demonstrated?

Answer & reasoning

Answer: ARP poisoning to establish an on-path (man-in-the-middle) position

The forged ARP replies corrupted the ARP tables of all hosts, redirecting traffic through the attacker's machine. ARP poisoning is the technique; the resulting on-path position allows traffic interception, credential capture, and data modification.

Dynamic ARP Inspection (DAI) would prevent this attack by validating ARP packets against a trusted binding table.

Key Takeaway

Network attacks work because protocols like ARP, DNS, and Wi-Fi management frames were designed for functionality, not security. Attackers exploit that design gap. Here are the distinctions that matter most on the exam:

  • Know the three DDoS categories: volumetric, protocol, and application layer
  • Distinguish between replay (stored) and relay (real-time) attacks
  • ARP poisoning creates an on-path position; it is a means, not an end
  • Evil twins mimic existing networks; rogue APs are unauthorized additions

Understand the protocol. Understand the attack. Understand the defense.

Next Module Module 17: Cryptographic and Password Attacks