Feed All posts
Search…
Cybersecurity from Scratch · Part 7
· 17 min read · Cybersecurity

Network attacks and defenses

In this series (16 parts)
  1. How attackers think: the attacker mindset
  2. Networking fundamentals for security
  3. Cryptography fundamentals
  4. Public key infrastructure and certificates
  5. Authentication and authorization
  6. Web application security: OWASP Top 10
  7. Network attacks and defenses
  8. Linux privilege escalation
  9. Windows security fundamentals
  10. Malware types and analysis basics
  11. Reconnaissance and OSINT
  12. Exploitation basics and CVEs
  13. Post-exploitation and persistence
  14. Defensive security: hardening and monitoring
  15. Incident response
  16. CTF skills and practice labs

Network attacks target the protocols that move data between machines. Unlike web application attacks that exploit code, network attacks exploit the way computers communicate. Many of these attacks are possible because early internet protocols were designed for trust, not security.

Prerequisites

You should understand networking fundamentals and basic Linux networking (interfaces, firewalls, ss).

ARP spoofing

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. It has no authentication. Any device can claim to be any IP address.

How it works

On a local network, when Computer A wants to talk to the gateway (router), it sends an ARP request: “Who has 192.168.1.1?” The gateway responds: “That is me, MAC address AA:BB:CC:DD:EE:FF.”

An attacker on the same network sends fake ARP replies: “I am 192.168.1.1, and my MAC is ATTACKER:MAC.” Computer A updates its ARP cache and starts sending traffic to the attacker instead of the gateway.

The attacker forwards the traffic to the real gateway so the connection works normally, but they can read and modify everything in transit. This is a man-in-the-middle (MITM) position.

What it looks like in a capture

# Normal ARP table
arp -n

Output:

Address         HWtype  HWaddress           Flags
192.168.1.1     ether   aa:bb:cc:dd:ee:ff   C
192.168.1.50    ether   11:22:33:44:55:66   C

During an ARP spoof attack, the gateway’s MAC address changes to the attacker’s MAC:

# Suspicious: gateway MAC changed
arp -n

Output:

Address         HWtype  HWaddress           Flags
192.168.1.1     ether   99:88:77:66:55:44   C    <-- attacker's MAC!
192.168.1.50    ether   11:22:33:44:55:66   C

Defense

  • Static ARP entries for critical hosts (gateway)
  • Dynamic ARP Inspection (DAI) on managed switches
  • Use encrypted protocols (HTTPS, SSH) so even if traffic is intercepted, it cannot be read
  • 802.1X port-based network access control

DNS spoofing

DNS spoofing returns false DNS responses, redirecting users to attacker-controlled servers.

How it works

  1. User requests bank.com via DNS
  2. Attacker intercepts the DNS query (or poisons the DNS cache)
  3. Attacker returns their own IP address for bank.com
  4. User connects to the attacker’s server, which looks identical to the real bank site
  5. User enters credentials, attacker captures them

Defense

  • DNSSEC cryptographically signs DNS records
  • DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts DNS queries
  • HTTPS with certificate checking will show a certificate warning because the attacker cannot forge the bank’s TLS certificate (unless they also compromised a CA)

Man-in-the-middle (MITM) attacks

MITM is the position, not the technique. ARP spoofing, DNS spoofing, rogue Wi-Fi access points, and compromised routers are all ways to achieve a MITM position.

Once in the middle, the attacker can:

  • Read unencrypted traffic (HTTP, FTP, Telnet)
  • Modify data in transit (inject malicious content)
  • Downgrade encryption (SSL stripping)
  • Steal credentials

SSL stripping

The attacker intercepts the connection and:

  1. Receives HTTPS from the real server
  2. Sends HTTP (no encryption) to the victim
  3. The victim sees http:// instead of https:// but many people do not notice

Defense: HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS. Once set, the browser refuses HTTP connections even if the attacker tries to strip SSL.

# Check for HSTS header
curl -sI https://example.com | grep -i strict

Output:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

DDoS attacks

Distributed Denial of Service attacks overwhelm a target with traffic from many sources. The goal is to make the service unavailable.

Types

TypeLayerMethodExample
VolumetricNetworkFlood bandwidthUDP flood, ICMP flood
ProtocolTransportExhaust state tablesSYN flood, ACK flood
ApplicationApplicationExhaust server resourcesHTTP GET/POST flood, Slowloris

SYN flood: The attacker sends thousands of SYN packets (TCP handshake step 1) with spoofed source IPs. The server allocates resources for each half-open connection and eventually runs out.

Slowloris: The attacker opens many HTTP connections and sends headers very slowly, keeping connections alive but never completing them. The server runs out of connection slots.

Defense

  • Rate limiting at the firewall level
  • SYN cookies (enabled by default on modern Linux kernels)
  • CDN/DDoS protection services (Cloudflare, AWS Shield)
  • Network segmentation to contain the impact
  • Overprovisioning for critical services

Port scanning with nmap

Port scanning is a reconnaissance technique that discovers which services are running on a target. nmap is the standard tool.

⚠ Only scan systems you own or have explicit permission to test.

Example 1: Basic nmap scans and interpreting output

# Simple scan of common ports
nmap 192.168.1.100

Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2026-06-21 10:00 UTC
Nmap scan report for 192.168.1.100
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds
# Version detection
nmap -sV 192.168.1.100

Output:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 9.3p1 Ubuntu 1ubuntu3.6
80/tcp  open  http     nginx/1.24.0
443/tcp open  ssl/http nginx/1.24.0

Version detection tells the attacker exactly what software and version is running. They can then search for known CVEs.

# OS detection
sudo nmap -O 192.168.1.100

Output:

OS details: Linux 5.15 - 6.5
Network Distance: 1 hop
# Scan all 65535 ports (slower but thorough)
nmap -p- 192.168.1.100
# Scan specific ports
nmap -p 22,80,443,3306,5432 192.168.1.100
# UDP scan (slower, often reveals DNS, SNMP)
sudo nmap -sU --top-ports 20 192.168.1.100

Scan types

FlagTypeDescription
-sTTCP connectFull TCP handshake (noisy)
-sSSYN scanHalf-open scan (stealthier, needs root)
-sUUDP scanScans UDP ports
-sVVersionDetect service versions
-OOS detectionGuess the operating system
-AAggressiveOS + version + scripts + traceroute

Port states

StateMeaning
openService is accepting connections
closedPort is accessible but no service is listening
filteredFirewall is blocking the probe
unfilteredPort is accessible but nmap cannot determine if open or closed

Example 2: Detecting an ARP spoof in a capture

In a lab environment, let’s capture and identify ARP spoofing:

# Start capturing ARP packets
sudo tcpdump -i eth0 arp -w /tmp/arp-capture.pcap &
CAPTURE_PID=$!

# Wait for some traffic
sleep 30

# Stop the capture
kill $CAPTURE_PID

# Analyze the capture
tcpdump -r /tmp/arp-capture.pcap -n

Output:

10:00:01.000 ARP, Reply 192.168.1.1 is-at aa:bb:cc:dd:ee:ff, length 28
10:00:05.000 ARP, Reply 192.168.1.1 is-at aa:bb:cc:dd:ee:ff, length 28
10:00:05.100 ARP, Reply 192.168.1.1 is-at 99:88:77:66:55:44, length 28    <-- SUSPICIOUS
10:00:05.200 ARP, Reply 192.168.1.1 is-at 99:88:77:66:55:44, length 28    <-- SUSPICIOUS
10:00:05.300 ARP, Reply 192.168.1.1 is-at 99:88:77:66:55:44, length 28    <-- SUSPICIOUS
10:00:10.000 ARP, Reply 192.168.1.1 is-at aa:bb:cc:dd:ee:ff, length 28

Red flags:

  1. Two different MAC addresses claiming to be 192.168.1.1
  2. The suspicious MAC (99:88:77:66:55:44) is sending rapid, unsolicited ARP replies
  3. Normal ARP replies from the real gateway (aa:bb:cc:dd:ee:ff) are being overwritten

Find the attacker:

# Which device has the suspicious MAC?
# Check the switch's MAC address table, or
arp -n | grep "99:88:77:66:55:44"

Immediate response:

  1. Set a static ARP entry for the gateway: sudo arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff
  2. Find and disconnect the attacking device
  3. Enable Dynamic ARP Inspection on the switch

Network segmentation

The most effective network defense is segmentation. If an attacker compromises one system, segmentation limits their ability to reach others.

  • Put web servers in a DMZ (demilitarized zone)
  • Keep databases on an internal network that is not accessible from the internet
  • Use VLANs to separate departments
  • Firewall rules between segments (not just at the perimeter)

What comes next

The next article covers Linux privilege escalation, where you will see how attackers move from a low-privilege shell to root access on a Linux system.

For defensive network configuration, see Linux networking and Linux security basics.

← Back to all series
Start typing to search across all content
navigate Enter open Esc close