Networks move data between devices constantly, and every connection is a chance for someone to listen in, redirect traffic, or shut things down. This topic is about the most common ways attackers mess with networks, how they get in, and how defenders figure out which problems are actually dangerous versus which ones are just minor annoyances. Once you understand how these attacks work under the hood, the defenses in the rest of Unit 3 start to make a lot more sense.
Common Network Attacks
Most network attacks fall into a few categories: intercepting traffic, listening in, redirecting users, or overwhelming a system so it stops working. The four attacks below are the ones you absolutely need to know.
ARP Poisoning and On-Path Attacks
To understand this one, you need to know what ARP does. The address resolution protocol (ARP) is how a default gateway figures out which device on the network has which address. Every device has two addresses: an IP address (logical, like a mailing address) and a MAC address (physical, burned into the network card). The gateway keeps an ARP table that pairs them up so traffic actually reaches the right machine.
An ARP poisoning attack is when an adversary sends fake ARP packets to the gateway. These packets say "hey, the IP address belonging to the target is actually at my MAC address." The gateway updates its table, and now traffic meant for the victim gets sent to the attacker instead. Faking a MAC address like this is called MAC spoofing.
Once the attacker is sitting in the middle of the conversation, this becomes an on-path attack (also called a man-in-the-middle attack). The attacker captures data from both sides, can copy or alter it, and then forwards it along. Both the victim and whoever they're talking to think they're communicating directly. They're actually both talking to the attacker.
</>CodeNormal: Alice <----> Gateway <----> Bob Poisoned: Alice <---> Attacker <---> Bob (sees everything)
MAC Flooding and Eavesdropping
Switches are smarter than hubs. A switch keeps a table of which MAC addresses are on which ports, so it sends Ethernet frames only to the correct port instead of broadcasting to everyone. That table has a limited size.
A MAC flooding attack abuses that limit. The attacker sends the switch a huge number of Ethernet frames, each with a different fake MAC address. The table fills up, and many switches fall back into broadcast mode, sending every frame to every port. Now the attacker can capture all the traffic on the network.
This is a form of eavesdropping (also called sniffing), where the attacker quietly captures data in transit and records or copies it. Eavesdropping is passive. The attacker isn't changing anything, just listening.
DNS Poisoning and Credential Harvesting
The domain name system (DNS) turns names like bank.com into IP addresses that computers actually use. When you type a URL, your computer asks a DNS server, "what IP goes with this name?" and trusts the answer.
In a DNS poisoning attack, the adversary pretends to be an authoritative name server (NS) and plants a fake DNS record on a DNS server. Now when users try to visit a legitimate site, they get sent to a malicious one that looks identical. They type in their username and password, and the attacker grabs them.
That last step is credential harvesting: setting up a fake login page that mimics a real one so unsuspecting users hand over real credentials. The attacker can then use those credentials on the actual site.
Smurf Attacks and Denial of Service
A denial of service (DoS) attack is any attack that makes a system or resource unavailable to authorized users. A smurf attack is one specific way to do that, using Internet Control Message Protocol (ICMP) requests (the same protocol behind the ping command).
Here's the trick. The attacker sends many ICMP requests, but they spoof the source address to be the victim's address, and they send them to the network's broadcast address. The gateway forwards the request to every device on the network. Every single device then replies to the victim. One spoofed request turns into hundreds of replies, all aimed at the victim, flooding their connection with junk so legitimate traffic can't get through.
When many devices coordinate to attack the same target at once, it's called a distributed denial of service (DDoS) attack. DDoS is much harder to stop because the traffic is coming from everywhere at the same time.
How Adversaries Exploit Network Vulnerabilities
Knowing the attacks is one thing. Understanding how attackers actually get the position to launch them is the next layer.
Sending Malicious Traffic In
If a network has no firewall, or a firewall that's been set up wrong, an outside attacker can send traffic straight in. They can flood it to cause a DoS, map out what devices and services exist on the internal network (called reconnaissance), or spoof a legitimate device to trick other systems into trusting them.
Lateral Movement Across the LAN
Once an attacker compromises one device on a local area network (LAN), the game changes. They don't have to break in from the outside anymore. They can use that foothold to attack other devices on the same LAN, hopping from machine to machine to find more valuable targets. This is called lateral movement, and it's why "I only got infected on one laptop" can quickly become "the whole office is compromised."
Physical Access to Switch Ports
If an attacker can physically plug a cable into a data port (say, an unused jack in a conference room), they're suddenly on the LAN through that switch port. From there they can run DoS attacks, MAC flooding, or MAC spoofing. The defense is port security, a switch feature that limits which MAC addresses are allowed on each port. Without port security, any random device can connect and start causing trouble.
Wireless Signal Leakage
Wireless access points broadcast signals, and those signals don't politely stop at the wall. An attacker standing in the parking lot or in the apartment next door can pick up the signal and the beacon frames that the access point sends out. Beacon frames advertise the network's existence and contain the SSID (service set identifier) along with the encryption protocols in use. With that info, the attacker can attempt eavesdropping or cryptographic attacks against the wireless network.
Networks That Don't Authenticate
If a network doesn't require devices and users to prove who they are before joining, attackers can just connect and start launching attacks from inside the network. Strong authentication (like requiring credentials or certificates) makes this much harder.
Rogue Access Points
This is a sneaky one. An attacker finds an open network port inside the building, plugs in a small wireless access point, and now there's a rogue access point sitting on the internal LAN. The attacker can connect to that rogue AP wirelessly, possibly from outside the building, and get direct access to the LAN. This completely bypasses the organization's firewall, since the firewall watches the boundary between inside and outside, not internal ports.
Breaking Wireless Encryption
Wireless networks use encryption to keep traffic private. Older or weaker protocols (like WEP, or poorly configured WPA) can be cracked. Once the attacker breaks the encryption, they can intercept, steal, or modify the data flowing over the wireless network.
Assessing and Documenting Network Risks
Not every vulnerability is a five-alarm fire. Part of cybersecurity work is figuring out which problems matter most. A network vulnerability becomes a risk when it threatens confidentiality (someone reads data they shouldn't), integrity (someone alters data), or availability (legitimate users can't access systems). That's the CIA triad showing up again.
What Vulnerabilities Can Lead To
A network vulnerability can let an attacker:
- Intercept and alter data in transit (confidentiality and integrity)
- Launch DoS attacks (availability)
- Move laterally across the network to reach more sensitive systems
Vulnerability Scanners
You don't have to find every weakness by hand. Automated vulnerability scanners check networks, devices, and applications against databases of known vulnerabilities. The scanner produces a report listing what it found, how severe each issue is, and recommendations for fixing it. Tools like Nessus and OpenVAS are common examples.
Likelihood Depends on Difficulty
Risk isn't just about impact. It's also about how likely the attack is to actually happen. Many network attacks require real technical skill, custom tools, and specific conditions. A vulnerability that only a nation-state attacker could realistically exploit is less likely to be used against a random small business than one that any kid with a YouTube tutorial could pull off.
High, Moderate, and Low Risk Examples
The CED gives clear examples of each risk level. Memorize the pattern.
High risk vulnerabilities let an attacker easily cause major damage: capturing traffic, spoofing devices, or running DoS attacks.
Illustrative example: An organization has a single unsegmented internal network that's accessible through a wireless network with weak encryption, and that network hosts a server running their proprietary web application. An attacker outside the building cracks the weak wireless encryption, joins the network, and now sits on the same flat LAN as a critical business server. That's high impact and not that hard to pull off.
Moderate risk vulnerabilities give attackers information about systems or devices but don't immediately hand them the keys.
Illustrative example: An organization's external firewall isn't configured to block external ICMP traffic. Attackers can ping the network from outside and use ICMP-based tools to map out which devices respond. They're not breaking in yet, but they're learning the layout for a future attack.
Low risk vulnerabilities are either hard to exploit or have minimal impact even if exploited.
Illustrative example: An organization's wireless access points broadcast beacon frames containing the SSID and the encryption protocols in use. Anyone nearby can see the network exists and what protocols it uses. That's a small information leak, but on its own it doesn't give the attacker much, especially if the encryption being advertised is strong.
When you document a risk, you're combining the impact (what could happen) with the likelihood (how easy is it to actually do) and matching it to one of these tiers. That's what helps a security team decide what to fix first.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
address resolution protocol | A protocol used by a default gateway to establish a table that pairs IP addresses with MAC addresses on a network. |
adversaries | Individuals or entities that attempt to exploit network vulnerabilities to compromise, disrupt, or damage network systems and communications. |
ARP poisoning attack | An attack where an adversary sends falsified ARP packets to modify the gateway's address table so that traffic intended for a target is redirected to the adversary's device. |
availability | The security principle ensuring that systems and data are accessible and functional when needed by authorized users. |
beacon frame | A wireless transmission sent by an access point that broadcasts the network's presence and basic properties, which can be disabled to hide the network from discovery. |
confidentiality | A security principle that ensures only authorized individuals, systems, or processes can access data. |
credential harvesting | The practice of setting up a fake login site that appears legitimate to trick users into entering their real credentials, which are then captured by adversaries. |
cryptographic attacks | Attacks aimed at breaking encryption or compromising the security of cryptographic systems protecting network data. |
denial of service attack | An attack that makes a system or resource unavailable to authorized users by overwhelming it with traffic or requests. |
device authentication | A security process that verifies the identity of devices attempting to connect to a network. |
distributed denial of service attack | A denial of service attack where multiple devices attack the same target simultaneously to overwhelm it. |
domain name system (DNS) poisoning attack | An attack where an adversary impersonates an authoritative name server and plants a fake DNS record to redirect browser traffic to a malicious website. |
eavesdropping | The practice of capturing data in transit, recording and copying it without authorization; also called sniffing. |
exploit | A technique or tool used to take advantage of a vulnerability to compromise a system or network. |
firewall | A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. |
integrity | The security principle ensuring that data remains accurate, complete, and unaltered by unauthorized parties. |
intercept | To capture or access data in transit between systems without authorization. |
Internet Control Message Protocol | A network protocol used for sending error messages and diagnostic information, which can be exploited in attacks like smurf attacks. |
lateral movement | The process by which an attacker moves from one compromised system to other systems on a network to gain access to more sensitive resources. |
local area network | A network of computers and devices connected within a limited geographic area, such as an office or building. |
MAC flooding attack | An attack where an adversary sends many Ethernet frames with different MAC addresses to a switch, potentially forcing it into broadcast mode to allow eavesdropping. |
MAC spoofing | An attack in which an adversary forges a Media Access Control address to impersonate a legitimate device on a network. |
malicious traffic | Network data packets intentionally sent by attackers to compromise, disrupt, or gather information about a network. |
man-in-the-middle attack | An attack where an adversary intercepts communications between two parties, captures their data, and may modify it while both parties believe they are communicating directly with each other. |
mitigation recommendations | Suggested actions or controls to reduce or eliminate the risk posed by identified vulnerabilities. |
network traffic | The flow of data packets between devices on a network, including both inbound and outbound communications. |
network vulnerabilities | Weaknesses or flaws in network infrastructure, configuration, or security that can be exploited by attackers. |
port security | A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port. |
risk assessment | A process that evaluates the likelihood and severity of potential attacks against vulnerabilities to determine overall risk to assets. |
rogue access point | An unauthorized wireless access point set up by an adversary to intercept network traffic or gain unauthorized access to a network. |
service set identifier | The name of a wireless network that is broadcast by an access point to identify the network to potential users. |
smurf attack | A denial of service attack that overwhelms a network by sending many ICMP requests with a victim's address to the network's broadcast address, causing devices to flood the victim with replies. |
spoofing | A technique where an adversary impersonates a legitimate device or user by falsifying network information. |
vulnerability scanner | An automated tool that scans networks, devices, and applications to identify known vulnerabilities and assess their severity. |
weak encryption | Encryption methods that are easily broken or compromised due to insufficient security strength or outdated algorithms. |
wireless access point | A networking device that allows wireless devices to connect to a wired network and transmit data wirelessly. |
wireless encryption | Cryptographic methods used to protect wireless network communications from unauthorized access and interception. |
wireless encryption protocols | Security standards used to encrypt wireless data transmissions to prevent unauthorized access and interception. |