A
AiTechWorlds
AiTechWorlds
Leaving your network unprotected is like leaving your house with every door open, valuables visible on the table, and a note on the front door listing which rooms have what. Most passersby will ignore it. But you only need one who does not.
Network attackers are not mythical geniuses. They are opportunists who use well-documented techniques against systems that are simply not adequately defended. Understanding what they look for — and how they work — is the first step to stopping them.
All network attacks fall into two fundamental categories.
Passive Attacks — the attacker observes without interfering.
The victim may never know the attack occurred. No packets are injected, no connections are disrupted. The attacker simply listens.
Active Attacks — the attacker modifies, injects, or disrupts.
These are detectable (if you are watching) because they produce anomalous behavior.
Denial of Service (DoS): One source floods a target with traffic or exploits a vulnerability to exhaust its resources (CPU, memory, bandwidth). The target cannot respond to legitimate requests.
Distributed DoS (DDoS): Thousands or millions of compromised machines (a botnet) simultaneously flood a single target. The sheer volume overwhelms even well-provisioned infrastructure.
Common DDoS types:
The attacker positions themselves between two communicating parties. Both sides believe they are talking directly to each other. The attacker can read and modify every message.
Classic vectors: compromised Wi-Fi access points, ARP poisoning (see below), rogue DNS.
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. It is stateless — any machine can send an unsolicited ARP reply claiming any IP.
An attacker sends forged ARP replies: "192.168.1.1's MAC address is MY MAC." All traffic intended for the gateway now flows through the attacker's machine first.
This is the most common MitM technique on local networks. It works because ARP has no authentication.
Defenses: Dynamic ARP Inspection (DAI) on managed switches, static ARP entries for critical hosts.
DNS translates domain names to IP addresses. DNS spoofing injects a forged answer into a resolver's cache: "www.bank.com is at 192.168.99.99" (the attacker's server). Users visit the real domain name and land on a fake site.
Defense: DNSSEC signs DNS responses cryptographically. Resolvers verify signatures before accepting answers.
Port scanning is reconnaissance, not an attack itself — but it precedes almost every attack.
A scanner sends probes to a range of ports on a target. Open ports reveal running services. Services reveal potential vulnerabilities. Nmap is the most widely used tool.
nmap -sV 192.168.1.1 # Detect services and versions
nmap -p 1-1024 192.168.1.0/24 # Scan common ports on entire subnet
Running a port scan against systems you do not own is illegal in most jurisdictions.
Malware (malicious software) uses networks for both delivery and propagation.
Network controls (segmentation, egress filtering) significantly limit malware's lateral movement even after initial compromise.
| Attack | OSI Layer | How It Works | Prevention |
|---|---|---|---|
| DDoS (volumetric) | Layer 3/4 | Floods bandwidth with spoofed packets | Upstream scrubbing, rate limiting |
| SYN Flood | Layer 4 | Half-open connections exhaust server state | SYN cookies, firewall rate limits |
| ARP Poisoning | Layer 2 | Forged ARP replies redirect local traffic | Dynamic ARP Inspection, static ARP |
| DNS Spoofing | Layer 7 | Poisoned cache returns fake IP | DNSSEC, trusted resolvers |
| MitM | Layer 2–7 | Intercepts and modifies traffic | TLS/HTTPS, certificate pinning |
| Port Scanning | Layer 4 | Probes open ports to map services | Firewall, IDS alerting |
| Packet Sniffing | Layer 1–2 | Captures unencrypted traffic passively | Encryption (TLS), switched networks |
| SQL Injection | Layer 7 | Injects SQL via application input | Input validation, parameterized queries |
No single control is sufficient. Layer multiple defenses so that when one fails (and eventually, one will), others compensate. Perimeter firewall + network segmentation + host-based controls + encryption + monitoring.
Every user, service, and device should have access only to what it needs to perform its function — nothing more. A compromised account with limited privileges does limited damage.
Divide the network into zones. Servers in a DMZ. Databases on an internal segment. Guest Wi-Fi isolated from corporate resources. When a device in one zone is compromised, the attacker cannot move freely to other zones.
"Never trust, always verify." Traditional security assumed that traffic inside the network was safe. Zero Trust abandons that assumption: every access request is authenticated and authorized regardless of where it originates — inside or outside the perimeter.
| Tool | Category | Purpose |
|---|---|---|
| IDS (Intrusion Detection System) | Monitoring | Detects and alerts on suspicious traffic patterns; does not block |
| IPS (Intrusion Prevention System) | Active Defense | Detects and blocks attacks in real time; inline deployment |
| SIEM (Security Information & Event Management) | Analytics | Aggregates logs from all sources, correlates events, surfaces incidents |
| Firewall | Access Control | Enforces allow/deny rules on traffic flows |
| Honeypot | Deception | Decoy system that attracts attackers, records their methods |
| WAF (Web Application Firewall) | Layer 7 | Filters HTTP traffic; blocks SQLi, XSS, CSRF |
| Vulnerability Scanner | Assessment | Proactively finds known vulnerabilities before attackers do |
IDS vs IPS in one sentence: IDS watches and reports; IPS watches and acts. IDS is a camera; IPS is a camera with a lock on the door.
Get this course's notes on Telegram!
Free cheat sheets, summaries & practice exercises