CompTIA Security+ Network Attacks - Zero-Fluff, Hands-On Guide

CompTIA Security+ Network Attacks: Zero-Fluff, Hands-On Guide

(MITM, DDoS, DNS Poisoning, ARP Spoofing, VLAN Hopping)

1. What This Is & Why It Matters

You’re a security analyst at a mid-sized company. One morning, users report slow internet, random disconnects, and some even claim their bank login pages look "off." Your SIEM alerts show unusual ARP traffic, DNS queries to sketchy IPs, and a sudden spike in UDP traffic from an internal server. You’re under attack.

Network attacks aren’t just theoretical—they’re daily threats that can: - Steal credentials (MITM, ARP spoofing) - Take down services (DDoS) - Redirect users to malicious sites (DNS poisoning) - Bypass segmentation (VLAN hopping)

If you ignore these, you’re leaving the door wide open for data breaches, ransomware, or compliance violations (GDPR, HIPAA, PCI-DSS). Your job is to detect, mitigate, and prevent them.

2. Core Concepts & Components

? Man-in-the-Middle (MITM) Attack

• Definition: An attacker secretly relays or alters communications between two parties who believe they’re directly communicating.
• Production Insight: MITM is the #1 cause of credential theft in unsecured Wi-Fi networks (e.g., coffee shops, airports). Always enforce HTTPS (TLS 1.2+).

? ARP Spoofing (ARP Poisoning)

• Definition: An attacker sends fake ARP messages to link their MAC address with a legitimate IP (e.g., the gateway), intercepting traffic.
• Production Insight: ARP spoofing is silent and deadly—no logs, no alerts. Use static ARP entries for critical devices (servers, routers).

? DNS Poisoning (DNS Spoofing)

• Definition: An attacker corrupts DNS cache to redirect users to malicious sites (e.g., google.com-fake-google.com).
• Production Insight: DNS poisoning is persistent—even after the attack stops, cached entries linger. Use DNSSEC to validate responses.

? Distributed Denial of Service (DDoS)

• Definition: Overwhelming a target with traffic from multiple sources (botnets) to crash services.
• Production Insight: DDoS attacks are cheap to launch (as low as $10/hour on the dark web). Use cloud-based scrubbing (AWS Shield, Cloudflare).

? VLAN Hopping

• Definition: An attacker bypasses VLAN segmentation to access restricted networks (e.g., jumping from Guest to Finance).
• Production Insight: VLAN hopping exploits misconfigured trunk ports. Disable unused ports, use switchport mode access by default.

3. Step-by-Step Hands-On: Detecting & Mitigating ARP Spoofing

Prerequisites

• A Linux machine (Kali Linux for attacker, Ubuntu for victim)
• arpspoof (from dsniff package)
• Wireshark (for traffic analysis)
• A test network (or virtual lab with VirtualBox)

Step 1: Simulate an ARP Spoofing Attack

Attacker (Kali Linux):

# Install dsniff (if not already installed)
sudo apt update && sudo apt install dsniff -y

# Find the gateway IP (usually .1 or .254)
ip route | grep default

# Start ARP spoofing (replace IPs with your network)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

Expected Output:

0:11:22:33:44:55 192.168.1.100 08:00:27:aa:bb:cc

(This means the attacker’s MAC is now linked to the victim’s IP.)

Step 2: Detect ARP Spoofing (Victim Machine)

Victim (Ubuntu):

# Check ARP cache for duplicates
arp -a

# Look for multiple IPs with the same MAC (attacker's MAC)

Expected Output (Attack in Progress):

? (192.168.1.1) at 00:11:22:33:44:55 [ether] on eth0
? (192.168.1.100) at 00:11:22:33:44:55 [ether] on eth0  #  Same MAC for two IPs!

Step 3: Mitigate ARP Spoofing

Option 1: Static ARP Entries (Best for Servers)

# Add a static ARP entry for the gateway (replace MAC with your router's real MAC)
sudo arp -s 192.168.1.1 08:00:27:aa:bb:cc

Verify:

arp -a | grep 192.168.1.1

(Should show PERM for permanent entry.)

Option 2: Enable ARP Spoofing Protection (Switch-Level)

# On a Cisco switch (enable DHCP Snooping + Dynamic ARP Inspection)
enable
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 1
ip arp inspection vlan 1
end
write memory

4.-Production-Ready Best Practices

? Security

• Enforce HTTPS everywhere (MITM protection).
• Use DNSSEC (prevents DNS poisoning).
• Disable unused switch ports (VLAN hopping prevention).
• Enable DHCP Snooping + Dynamic ARP Inspection (stops ARP spoofing).
• Rate-limit ICMP/UDP (DDoS mitigation).

? Cost Optimization

• Use cloud-based DDoS protection (AWS Shield, Cloudflare) instead of on-prem scrubbing.
• Monitor ARP/DNS traffic (SIEM rules for anomalies).

? Reliability & Maintainability

• Document VLAN assignments (prevents misconfigurations).
• Use switchport mode access by default (VLAN hopping prevention).
• Rotate ARP cache (prevents stale entries).

? Observability

• Monitor ARP traffic (unexpected MAC-IP mappings).
• Log DNS queries (unusual domains = poisoning).
• Set up DDoS alerts (traffic spikes > 2x baseline).

5. Common Mistakes & Traps

6.-Exam/Certification Focus (CompTIA Security+)

Typical Question Patterns

1. "Which attack redirects users to a fake website?"

2. DNS Poisoning (not ARP spoofing—ARP steals traffic, DNS redirects it).

3. "How do you prevent VLAN hopping?"

4. Disable unused ports, use switchport mode access by default.

5. "What’s the best way to stop ARP spoofing?"

6. Dynamic ARP Inspection (DAI) + DHCP Snooping.

7. "Which protocol is vulnerable to MITM?"

8. ? HTTP (not HTTPS).

Trap Distinctions

• ARP Spoofing vs. DNS Poisoning
• ARP = local network (MAC-IP mapping).
• DNS = global (domain-IP mapping).
• DDoS vs. DoS
• DDoS = distributed (botnet).
• DoS = single source (e.g., ping -f).

7.-Hands-On Challenge (With Solution)

Challenge:

"You detect ARP spoofing in your network. How do you find the attacker’s MAC address?"

Solution:

# On the victim machine, check ARP cache for duplicates
arp -a | grep -v PERM | sort | uniq -d -w 17

Why it works: - arp -a lists all ARP entries. - grep -v PERM excludes static entries. - uniq -d -w 17 finds duplicate MACs (first 17 chars = MAC + IP).

8.-Rapid-Reference Crib Sheet

Exam Traps: - ARP = Layer 2 (MAC), DNS = Layer 7 (Application). - DDoS-DoS (distributed vs. single source). - VLAN hopping requires a trunk port (not access port).

9.-Where to Go Next

1. OWASP MITM Guide – Real-world MITM scenarios.
2. Cisco DAI Configuration – Step-by-step ARP spoofing prevention.
3. Cloudflare DDoS Protection – Free tier for small businesses.
4. DNSSEC Deployment Guide – How to secure DNS.

Final Thought

Network attacks aren’t just "hacker movies"—they’re daily threats in production. Your job is to make them harder to execute than the attacker’s ROI. Start with ARP inspection, DNSSEC, and DDoS scrubbing, then layer on monitoring. Defense in depth wins. ?