Fiveable

🔒AP Cybersecurity Unit 3 Review

QR code for AP Cybersecurity practice questions

3.1 Network Vulnerabilities and Attacks

3.1 Network Vulnerabilities and Attacks

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Network attacks come down to a few core moves: intercepting traffic, listening in, redirecting users, or flooding a system until it stops working. This topic covers how attacks like ARP poisoning, MAC flooding, DNS poisoning, and smurf attacks actually work, how adversaries get into position to launch them, and how to rate each vulnerability as high, moderate, or low risk. Once you see how the attacks function, the defenses in the rest of Unit 3 make a lot more sense.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

AP Cybersecurity is built around adversarial thinking: spotting vulnerabilities, predicting how an attacker would exploit them, and judging how serious each risk really is. This topic gives you the core network attack vocabulary you will reuse across all of Unit 3, where you study segmentation, firewalls, wireless security, and detecting attacks in log files.

Expect to do three kinds of thinking here:

  • Name and describe specific attacks (ARP poisoning, MAC flooding, DNS poisoning, smurf/DoS/DDoS).
  • Explain how an adversary moves from outside access to inside control (lateral movement, rogue access points, physical port access).
  • Assess and document risk by combining impact with likelihood and placing it in a high, moderate, or low tier.

Key Takeaways

  • An on-path (man-in-the-middle) attack puts the adversary between two parties so they can read or change traffic; ARP poisoning with MAC spoofing is the classic way to get there.
  • MAC flooding forces a switch into broadcast mode so the attacker can sniff traffic; this is eavesdropping, which is passive.
  • DNS poisoning redirects users to fake sites for credential harvesting; smurf attacks use spoofed ICMP and a broadcast address to flood a victim (a DoS, or DDoS when many devices attack at once).
  • Adversaries get into position through missing or misconfigured firewalls, unprotected switch ports, leaking wireless signals, weak authentication, rogue access points, and crackable wireless encryption.
  • Network vulnerabilities threaten confidentiality, integrity, and availability (the CIA triad).
  • Risk level combines impact and likelihood; technically hard attacks are less likely, and vulnerability scanners help rank what to fix first.

Common Network Attacks

Most network attacks fall into a few categories: intercepting traffic, listening in, redirecting users, or overwhelming a system so it stops working. The four attacks below are the ones you need to know cold.

ARP Poisoning and On-Path Attacks

To understand this one, you need to know what ARP does. The address resolution protocol (ARP) is how a default gateway figures out which device on the network has which address. Every device has two addresses: an IP address (logical, like a mailing address) and a MAC address (physical, burned into the network card). The gateway keeps an ARP table that pairs them up so traffic reaches the right machine.

An ARP poisoning attack is when an adversary sends falsified ARP packets to the gateway. These packets claim that the target's IP address is actually at the adversary's MAC address. The gateway updates its table, and traffic meant for the victim gets sent to the attacker instead. Faking a MAC address like this is called MAC spoofing.

Once the attacker is sitting in the middle of the conversation, this becomes an on-path attack (also called a man-in-the-middle attack). The attacker interrupts the data stream between two parties, captures both parties' data, and can copy or alter it before forwarding it along. Both the victim and whoever they are talking to think they are communicating directly. They are actually both talking to the attacker.

</>Code
Normal:    Alice <----> Gateway <----> Bob
Poisoned:  Alice <---> Attacker <---> Bob
                  (sees everything)

MAC Flooding and Eavesdropping

A switch keeps a table of which MAC addresses are on which ports, so it sends Ethernet frames only to the correct port instead of broadcasting to everyone. That table has a limited size.

A MAC flooding attack abuses that limit. The attacker sends the target switch a huge number of Ethernet frames, each with a different MAC address. This can force the switch into broadcast mode, sending every frame to every port. Now the attacker can collect all the traffic on the network, which could expose sensitive information.

This is a form of eavesdropping (also called sniffing), where the attacker captures data in transit and records or copies it. Eavesdropping is passive. The attacker is not changing anything, just listening.

DNS Poisoning and Credential Harvesting

The domain name system (DNS) turns names like bank.com into IP addresses that computers actually use. When you type a URL, your computer asks a DNS server which IP goes with that name and trusts the answer.

In a DNS poisoning attack, the adversary pretends to be an authoritative name server (NS) and plants a fake DNS record on a DNS server to redirect browser traffic to a malicious website. The fake site is designed to steal credentials. Users type in their username and password, and the attacker grabs them.

That last step is credential harvesting: setting up a fake login site that looks like a real one so unsuspecting users enter real credentials. The attacker can then use those credentials on the actual site.

Smurf Attacks and Denial of Service

A denial of service (DoS) attack is any attack that makes a system or resource unavailable to authorized users. A smurf attack is one specific way to do that, using Internet Control Message Protocol (ICMP) requests (the same protocol behind the ping command).

Here is the trick. The attacker sends many ICMP requests with the victim's address as the source, and sends them to the network's broadcast address. The gateway forwards the request to every device on the network. Every device then replies to the victim's address. One spoofed request turns into a flood of replies, all aimed at the victim, so legitimate traffic cannot get through.

When multiple devices coordinate to attack the same target at once, it is called a distributed denial of service (DDoS) attack. DDoS is harder to stop because the traffic is coming from everywhere at the same time.

How Adversaries Exploit Network Vulnerabilities

Knowing the attacks is one thing. Understanding how attackers get into position to launch them is the next layer.

Sending Malicious Traffic In

If a network has no firewall, or a firewall that is set up wrong, an outside attacker can send traffic straight in. They can flood it to cause a DoS, map out what devices and services exist on the internal network, or spoof a legitimate device to trick other systems into trusting them.

Lateral Movement Across the LAN

Once an attacker compromises one device on a local area network (LAN), they do not have to break in from the outside anymore. They can use that foothold to attack other devices on the same LAN, hopping from machine to machine to find more valuable targets. This is called lateral movement, and it is why one infected laptop can quickly become a much bigger problem.

Physical Access to Switch Ports

If an attacker can physically plug a cable into a data port (say, an unused jack in a conference room), they are suddenly on the LAN through that switch port. From there they can run DoS attacks, MAC flooding, or MAC spoofing. The defense is port security, a switch feature that limits which MAC addresses are allowed on each port. Without port security, any device can connect and start causing trouble.

Wireless Signal Leakage

Wireless access points broadcast signals, and those signals do not stop at the wall. An attacker standing outside a physically secure space can pick up the signal and the beacon frames that the access point sends out. Beacon frames advertise the network and contain the SSID (service set identifier) along with the encryption protocols in use. With that information, the attacker can attempt eavesdropping or cryptographic attacks against the wireless network.

Networks That Don't Authenticate

If a network does not require devices and users to prove who they are before joining, attackers can connect and launch attacks from inside the network. Strong authentication, like requiring credentials or certificates, makes this much harder.

Rogue Access Points

If there is an open network port inside the building, an attacker can plug in a wireless access point and create a rogue access point on the internal LAN. The attacker can then connect to that rogue AP wirelessly, possibly from outside the building, and get direct access to the LAN. This completely bypasses the organization's firewall, since the firewall watches the boundary between inside and outside, not internal ports.

Breaking Wireless Encryption

Wireless networks use encryption to keep traffic private. If an attacker can break that encryption, they can intercept, steal, or compromise the data flowing over the wireless network. (As an example, older protocols like WEP and poorly configured WPA have been crackable in practice.)

Assessing and Documenting Network Risks

Not every vulnerability is an emergency. Part of cybersecurity work is figuring out which problems matter most. A network vulnerability becomes a risk when it threatens confidentiality (someone reads data they should not), integrity (someone alters data), or availability (legitimate users cannot access systems). That is the CIA triad showing up again.

What Vulnerabilities Can Lead To

A network vulnerability can let an attacker:

  • Intercept and alter data in transit (confidentiality and integrity)
  • Launch DoS attacks (availability)
  • Move laterally across the network to reach more sensitive or critical systems

Vulnerability Scanners

You do not have to find every weakness by hand. Automated vulnerability scanners check networks, devices, and applications against databases of known vulnerabilities. The scanner produces a report that often lists what it found, how severe each issue is, and recommendations for fixing it. (Nessus and OpenVAS are common examples of such tools.)

Likelihood Depends on Difficulty

Risk is not just about impact. It is also about how likely the attack is to actually happen. Successfully exploiting many network vulnerabilities requires advanced technical ability and knowledge, which lowers the likelihood. A vulnerability that only a highly skilled attacker could realistically exploit is less likely to be used than one that almost anyone could pull off.

High, Moderate, and Low Risk Examples

The course gives clear examples of each risk level. Learn the pattern.

High risk vulnerabilities let an attacker easily cause significant impact: capturing network traffic, spoofing a legitimate device, or launching a DoS attack.

Illustrative example: An organization has a single unsegmented internal network that is accessible through a wireless network with weak encryption, and that network hosts a server running its proprietary web application. An attacker outside the building cracks the weak wireless encryption, joins the network, and sits on the same flat LAN as a critical business server. High impact, and not that hard to pull off.

Moderate risk vulnerabilities give attackers information about systems or devices but do not immediately hand them control.

Illustrative example: An organization's external firewall is not configured to block external ICMP traffic. Attackers can ping the network from outside and use ICMP-based tools to map which devices respond. They are not breaking in yet, but they are learning the layout for a future attack.

Low risk vulnerabilities are either hard to exploit or have minimal impact even if exploited.

Illustrative example: An organization's wireless access points broadcast beacon frames containing the SSID and the encryption protocols in use. Anyone nearby can see the network exists and what protocols it uses. That is a small information leak, but on its own it does not give the attacker much, especially if the encryption being advertised is strong.

When you document a risk, you combine the impact (what could happen) with the likelihood (how easy it is to actually do) and match it to one of these tiers. That is what helps a security team decide what to fix first.

How to Use This on the AP Cybersecurity Exam

Spotting the Attack

Questions often describe a scenario and ask you to name the attack. Watch for these signal words:

  • Fake ARP packets, IP linked to wrong MAC, traffic redirected to attacker = ARP poisoning / on-path (man-in-the-middle).
  • Switch flooded with many MAC addresses, switch broadcasts to all ports = MAC flooding (a form of eavesdropping/sniffing).
  • Fake DNS record, users sent to a lookalike login page = DNS poisoning leading to credential harvesting.
  • Spoofed ICMP sent to a broadcast address, victim flooded with replies = smurf attack (a DoS; DDoS if many devices).

Tracing How the Adversary Got In

If a question asks how an attacker reached the position to do damage, connect the entry point to the result: an open switch port plus no port security leads to MAC flooding or spoofing; an open internal port plus a rogue access point bypasses the firewall; weak or missing authentication lets an attacker join; weak wireless encryption can be cracked from outside the building.

Rating Risk

To justify a risk rating, name both pieces:

  • Impact: which part of the CIA triad is threatened and how badly.
  • Likelihood: how technically hard the attack is and what conditions it needs.

High risk means easy to exploit plus significant impact. Moderate risk usually means the attacker only gains information. Low risk means hard to exploit or minimal impact. Match the scenario to the tier and explain why.

Common Trap

Do not confuse eavesdropping (passive listening, like sniffing after MAC flooding) with on-path attacks (active interception where the attacker can alter data). They look similar but the ability to change data is what separates them.

Common Misconceptions

  • ARP poisoning and MAC flooding are not the same attack. ARP poisoning targets the gateway's ARP table to redirect specific traffic to the attacker (on-path). MAC flooding overwhelms a switch's MAC table to force broadcast mode so the attacker can sniff everything.
  • Eavesdropping is not the same as a man-in-the-middle attack. Eavesdropping is passive; the attacker only listens and copies. In an on-path attack the attacker sits between both parties and can alter the data before forwarding it.
  • A smurf attack does not directly hack the victim's computer. It abuses other devices on a network by spoofing the victim's address to a broadcast address, so all the replies flood the victim. The damage is loss of availability, not stolen data.
  • A rogue access point is a network attack, not just a physical one. It needs physical access to plug in, but its danger is that it gives wireless access to the internal LAN and bypasses the firewall entirely.
  • A firewall does not stop everything. Firewalls watch the boundary between inside and outside. Threats already inside the LAN, like a compromised device moving laterally or a rogue access point on an internal port, can operate behind the firewall.
  • High risk is not only about damage. A serious-sounding vulnerability that is extremely hard to exploit may rate lower than an easy attack with moderate impact. Always weigh likelihood alongside impact.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

address resolution protocol

A protocol used by a default gateway to establish a table that pairs IP addresses with MAC addresses on a network.

adversaries

Individuals or entities that attempt to exploit network vulnerabilities to compromise, disrupt, or damage network systems and communications.

ARP poisoning attack

An attack where an adversary sends falsified ARP packets to modify the gateway's address table so that traffic intended for a target is redirected to the adversary's device.

availability

The security principle ensuring that systems and data are accessible and functional when needed by authorized users.

beacon frame

A wireless transmission sent by an access point that broadcasts the network's presence and basic properties, which can be disabled to hide the network from discovery.

confidentiality

A security principle that ensures only authorized individuals, systems, or processes can access data.

credential harvesting

The practice of setting up a fake login site that appears legitimate to trick users into entering their real credentials, which are then captured by adversaries.

cryptographic attacks

Attacks aimed at breaking encryption or compromising the security of cryptographic systems protecting network data.

denial of service attack

An attack that makes a system or resource unavailable to authorized users by overwhelming it with traffic or requests.

device authentication

A security process that verifies the identity of devices attempting to connect to a network.

distributed denial of service attack

A denial of service attack where multiple devices attack the same target simultaneously to overwhelm it.

domain name system (DNS) poisoning attack

An attack where an adversary impersonates an authoritative name server and plants a fake DNS record to redirect browser traffic to a malicious website.

eavesdropping

The practice of capturing data in transit, recording and copying it without authorization; also called sniffing.

exploit

A technique or tool used to take advantage of a vulnerability to compromise a system or network.

firewall

A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

integrity

The security principle ensuring that data remains accurate, complete, and unaltered by unauthorized parties.

intercept

To capture or access data in transit between systems without authorization.

Internet Control Message Protocol

A network protocol used for sending error messages and diagnostic information, which can be exploited in attacks like smurf attacks.

lateral movement

The process by which an attacker moves from one compromised system to other systems on a network to gain access to more sensitive resources.

local area network

A network of computers and devices connected within a limited geographic area, such as an office or building.

MAC flooding attack

An attack where an adversary sends many Ethernet frames with different MAC addresses to a switch, potentially forcing it into broadcast mode to allow eavesdropping.

MAC spoofing

An attack in which an adversary forges a Media Access Control address to impersonate a legitimate device on a network.

malicious traffic

Network data packets intentionally sent by attackers to compromise, disrupt, or gather information about a network.

man-in-the-middle attack

An attack where an adversary intercepts communications between two parties, captures their data, and may modify it while both parties believe they are communicating directly with each other.

mitigation recommendations

Suggested actions or controls to reduce or eliminate the risk posed by identified vulnerabilities.

network traffic

The flow of data packets between devices on a network, including both inbound and outbound communications.

network vulnerabilities

Weaknesses or flaws in network infrastructure, configuration, or security that can be exploited by attackers.

port security

A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port.

risk assessment

A process that evaluates the likelihood and severity of potential attacks against vulnerabilities to determine overall risk to assets.

rogue access point

An unauthorized wireless access point set up by an adversary to intercept network traffic or gain unauthorized access to a network.

service set identifier

The name of a wireless network that is broadcast by an access point to identify the network to potential users.

smurf attack

A denial of service attack that overwhelms a network by sending many ICMP requests with a victim's address to the network's broadcast address, causing devices to flood the victim with replies.

spoofing

A technique where an adversary impersonates a legitimate device or user by falsifying network information.

vulnerability scanner

An automated tool that scans networks, devices, and applications to identify known vulnerabilities and assess their severity.

weak encryption

Encryption methods that are easily broken or compromised due to insufficient security strength or outdated algorithms.

wireless access point

A networking device that allows wireless devices to connect to a wired network and transmit data wirelessly.

wireless encryption

Cryptographic methods used to protect wireless network communications from unauthorized access and interception.

wireless encryption protocols

Security standards used to encrypt wireless data transmissions to prevent unauthorized access and interception.

Frequently Asked Questions

What is ARP poisoning and how does it work in AP Cybersecurity?

ARP poisoning is when an adversary sends falsified ARP packets to a network's default gateway to link the target's IP address to the adversary's MAC address, causing traffic meant for the victim to be redirected to the attacker instead. This makes it an on-path attack, also called a man-in-the-middle attack, because the adversary secretly sits between two communicating parties and can read or alter their data. Faking a MAC address as part of this process is called MAC spoofing.

What is the difference between a DoS attack and a DDoS attack?

A denial of service (DoS) attack makes a system or resource unavailable to authorized users, typically by flooding it with traffic from a single source. A distributed denial of service (DDoS) attack works the same way but uses multiple devices attacking the same target simultaneously, making it harder to stop. A smurf attack is one example of a DoS attack, where spoofed ICMP requests are sent to a broadcast address so every device on the network replies to the victim.

How does a MAC flooding attack work and what category of attack is it?

A MAC flooding attack involves an adversary sending a target switch many Ethernet frames, each with a different MAC address, which can overwhelm the switch's address table and force it into broadcast mode. Once the switch broadcasts all frames to every port, the attacker can collect traffic from across the network. This is classified as eavesdropping, or sniffing, because the attacker is passively capturing data in transit without altering it.

How do you assess whether a network vulnerability is high, moderate, or low risk?

Risk level is determined by combining the potential impact of a vulnerability with how likely it is to be exploited, including how much technical skill an attacker would need. High-risk vulnerabilities allow an attacker to easily capture traffic, spoof devices, or launch a DoS attack, while moderate-risk vulnerabilities mainly give attackers information about the network, and low-risk vulnerabilities are difficult to exploit with minimal impact. Automated vulnerability scanners can help by identifying known vulnerabilities, rating their severity, and suggesting fixes.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot