Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (33)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
CompTIA Network+ Security Fundamentals Foundational

Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth

Every attack CompTIA Network+ (N10-009) tests by name: on-path (MITM), DNS poisoning, ARP spoofing, DHCP starvation, MAC flooding, DDoS (volumetric, protocol, application), deauth, evil twin, rogue AP, VLAN hopping.

Quick summary
  • Learn each attack by **what it targets** (Layer 2? DNS? WLAN?) and **the one-line defense**. That's how N10-009 asks the questions.
  • The Layer-2 quartet: **ARP spoofing** (poison the ARP cache) → mitigate with DAI. **DHCP starvation/spoofing** → DHCP snooping. **MAC flooding** → port-security. **VLAN hopping** → disable DTP + set trunks explicit.
  • The wireless trio: **rogue AP** (unauthorized), **evil twin** (rogue with matching SSID), **deauth** (802.11 management-frame injection). Fixed by WIPS + WPA3 SAE + management-frame protection.

Layer-2 attacks (Ethernet + switch)

ARP spoofing / ARP poisoning

Attacker sends unsolicited ARP replies saying “the default gateway IP → MY MAC address.” Every host on the VLAN updates its cache and now sends traffic to the attacker.

Defense: Dynamic ARP Inspection (DAI) on the switch. Only ARP replies matching the DHCP-snooping binding table are allowed.

DHCP starvation and DHCP spoofing

  • Starvation — attacker floods the DHCP server with fake DISCOVERs, exhausting the pool. Legit clients can’t get addresses.
  • Spoofing — attacker runs a rogue DHCP server that answers first, handing out its own IP as the gateway (then MITM).

Defense: DHCP snooping. Trust only the port toward the real DHCP server; drop server-side messages from every other port.

MAC flooding (CAM table overflow)

Attacker floods the switch with millions of source MACs. The CAM table fills. Switch fails open — every frame becomes broadcast to every port. Attacker sees traffic they shouldn’t.

Defense: port-security capping MAC addresses per port (switchport port-security maximum 2), sticky learning, err-disable on violation.

VLAN hopping

Two variants:

  • Double-tagging — attacker inserts a 802.1Q tag for VLAN A, native VLAN is A, switch strips it → the inner tag for VLAN B gets forwarded there.
  • Switch spoofing — attacker’s port auto-negotiates DTP into a trunk. Now they see every VLAN.

Defense: disable DTP (switchport nonegotiate), set trunks explicitly, change native VLAN to an unused/blackholed VLAN, don’t allow untagged traffic on the native VLAN.

DNS attacks

DNS poisoning / cache poisoning

Attacker injects a fake DNS response into a resolver’s cache before the real one arrives. Every subsequent lookup for that FQDN returns the attacker’s IP.

Defense: DNSSEC (signed responses), randomize source ports, use trusted resolvers only.

DNS hijacking / redirection

Compromise the DNS server itself (or the DHCP-advertised DNS server on the LAN).

Defense: harden resolvers, monitor for lookalike-domain queries, use DoT/DoH between clients and known resolvers.

Man-in-the-middle (now called “on-path”)

CompTIA renamed MITM to on-path attack in the N10-009 objectives. Same concept: attacker sits in the traffic path and intercepts / modifies.

Techniques used to become on-path include ARP spoofing (LAN), DNS poisoning (WAN), rogue Wi-Fi (WLAN), and BGP hijacking (Internet).

Defense: end-to-end TLS with certificate pinning, HSTS, mutual auth, WPA3 SAE for Wi-Fi.

DDoS categories

Network+ splits DDoS three ways:

  • Volumetric — flood the pipe (UDP amplification via DNS/NTP/Memcached). Mitigated by upstream scrubbing + BGP flowspec.
  • Protocol — exhaust the state on firewalls / LBs (SYN flood, Slowloris). Mitigated by SYN cookies + rate limiting.
  • Application — HTTP-layer flood (large POSTs, expensive queries). Mitigated by WAF, rate limits, CAPTCHAs.

Wireless attacks

Rogue AP

An unauthorized AP plugged into the corporate network. Provides an alternate way in.

Defense: WIPS (Wireless IPS) scanning + wired-side rogue detection (matching AP MAC seen wirelessly to a wired switch port), 802.1X on Ethernet ports.

Evil twin

A rogue AP that broadcasts the same SSID as the corporate SSID, hoping clients auto-connect.

Defense: WPA3 SAE (mutual auth), 802.1X client cert validation, WIPS.

Deauthentication attack

Attacker forges 802.11 deauth management frames as the AP. Clients disconnect, then reconnect — attacker captures the WPA2 handshake for offline cracking.

Defense: 802.11w Protected Management Frames (PMF) — mandatory in WPA3, optional in WPA2.

Jamming

RF-level attack. Legitimate frames drown in noise.

Defense: spectrum analyzers, WIPS RF detection, coordinate with security to find + remove the jammer.

Social engineering — brief but tested

CompTIA lists a handful you need to name:

  • Phishing / spear-phishing / whaling — email lures. Whaling = C-suite target.
  • Vishing — voice phishing.
  • Smishing — SMS phishing.
  • Pretexting — fabricated scenario (“I’m from IT, need your password”).
  • Tailgating / piggybacking — following someone into a secure area.

Common exam / real-world mistakes

  1. Calling it MITM. N10-009 uses “on-path”. The old terminology still gets you the right answer, but new-style questions use the new term.
  2. Confusing rogue AP and evil twin. Rogue = unauthorized. Evil twin = unauthorized and impersonating an authorized SSID.
  3. Assuming HTTPS defeats ARP spoofing. HTTPS defeats content interception, but the attacker can still see SNI, still block traffic, still redirect to their own captive portal.
  4. Mixing up DHCP snooping and DAI. Both live on the switch. Snooping validates DHCP; DAI validates ARP by referencing the snooping table. Order: snooping first, DAI on top.
  5. Ignoring PMF for WPA2 networks. Deauth is trivial without PMF. Turn it on.

Cheat strip

Layer-2:
 ARP spoof     → DAI
 DHCP spoof/starve → DHCP snooping
 MAC flood     → port-security
 VLAN hopping  → disable DTP, explicit trunks, unused native VLAN

DNS:
 Poisoning     → DNSSEC + port randomization
 Hijacking     → hardened resolvers, DoT/DoH

On-path (MITM): end-to-end TLS + pin + WPA3 + HSTS

DDoS:
 Volumetric    → upstream scrubbing
 Protocol      → SYN cookies, rate limits
 Application   → WAF, rate limits

Wireless:
 Rogue AP      → WIPS + wired-side detection
 Evil twin     → WPA3 SAE + WIPS
 Deauth        → PMF (802.11w) — mandatory in WPA3
 Jamming       → spectrum analyzer, physical location

Social eng:
 phishing / vishing / smishing / whaling / pretexting / tailgating
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the Network+® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Get the free CCNA 12-week roadmap

You're already reading up on Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth fits. A written personal reply, not an autoresponder. Expect it within one business day.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.