Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth
Every attack CompTIA Network+ (N10-009) tests by name: on-path (MITM), DNS poisoning, ARP spoofing, DHCP starvation, MAC flooding, DDoS (volumetric, protocol, application), deauth, evil twin, rogue AP, VLAN hopping.
- Learn each attack by **what it targets** (Layer 2? DNS? WLAN?) and **the one-line defense**. That's how N10-009 asks the questions.
- The Layer-2 quartet: **ARP spoofing** (poison the ARP cache) → mitigate with DAI. **DHCP starvation/spoofing** → DHCP snooping. **MAC flooding** → port-security. **VLAN hopping** → disable DTP + set trunks explicit.
- The wireless trio: **rogue AP** (unauthorized), **evil twin** (rogue with matching SSID), **deauth** (802.11 management-frame injection). Fixed by WIPS + WPA3 SAE + management-frame protection.
Layer-2 attacks (Ethernet + switch)
ARP spoofing / ARP poisoning
Attacker sends unsolicited ARP replies saying “the default gateway IP → MY MAC address.” Every host on the VLAN updates its cache and now sends traffic to the attacker.
Defense: Dynamic ARP Inspection (DAI) on the switch. Only ARP replies matching the DHCP-snooping binding table are allowed.
DHCP starvation and DHCP spoofing
- Starvation — attacker floods the DHCP server with fake DISCOVERs, exhausting the pool. Legit clients can’t get addresses.
- Spoofing — attacker runs a rogue DHCP server that answers first, handing out its own IP as the gateway (then MITM).
Defense: DHCP snooping. Trust only the port toward the real DHCP server; drop server-side messages from every other port.
MAC flooding (CAM table overflow)
Attacker floods the switch with millions of source MACs. The CAM table fills. Switch fails open — every frame becomes broadcast to every port. Attacker sees traffic they shouldn’t.
Defense: port-security capping MAC addresses per port (switchport port-security maximum 2), sticky learning, err-disable on violation.
VLAN hopping
Two variants:
- Double-tagging — attacker inserts a 802.1Q tag for VLAN A, native VLAN is A, switch strips it → the inner tag for VLAN B gets forwarded there.
- Switch spoofing — attacker’s port auto-negotiates DTP into a trunk. Now they see every VLAN.
Defense: disable DTP (switchport nonegotiate), set trunks explicitly, change native VLAN to an unused/blackholed VLAN, don’t allow untagged traffic on the native VLAN.
DNS attacks
DNS poisoning / cache poisoning
Attacker injects a fake DNS response into a resolver’s cache before the real one arrives. Every subsequent lookup for that FQDN returns the attacker’s IP.
Defense: DNSSEC (signed responses), randomize source ports, use trusted resolvers only.
DNS hijacking / redirection
Compromise the DNS server itself (or the DHCP-advertised DNS server on the LAN).
Defense: harden resolvers, monitor for lookalike-domain queries, use DoT/DoH between clients and known resolvers.
Man-in-the-middle (now called “on-path”)
CompTIA renamed MITM to on-path attack in the N10-009 objectives. Same concept: attacker sits in the traffic path and intercepts / modifies.
Techniques used to become on-path include ARP spoofing (LAN), DNS poisoning (WAN), rogue Wi-Fi (WLAN), and BGP hijacking (Internet).
Defense: end-to-end TLS with certificate pinning, HSTS, mutual auth, WPA3 SAE for Wi-Fi.
DDoS categories
Network+ splits DDoS three ways:
- Volumetric — flood the pipe (UDP amplification via DNS/NTP/Memcached). Mitigated by upstream scrubbing + BGP flowspec.
- Protocol — exhaust the state on firewalls / LBs (SYN flood, Slowloris). Mitigated by SYN cookies + rate limiting.
- Application — HTTP-layer flood (large POSTs, expensive queries). Mitigated by WAF, rate limits, CAPTCHAs.
Wireless attacks
Rogue AP
An unauthorized AP plugged into the corporate network. Provides an alternate way in.
Defense: WIPS (Wireless IPS) scanning + wired-side rogue detection (matching AP MAC seen wirelessly to a wired switch port), 802.1X on Ethernet ports.
Evil twin
A rogue AP that broadcasts the same SSID as the corporate SSID, hoping clients auto-connect.
Defense: WPA3 SAE (mutual auth), 802.1X client cert validation, WIPS.
Deauthentication attack
Attacker forges 802.11 deauth management frames as the AP. Clients disconnect, then reconnect — attacker captures the WPA2 handshake for offline cracking.
Defense: 802.11w Protected Management Frames (PMF) — mandatory in WPA3, optional in WPA2.
Jamming
RF-level attack. Legitimate frames drown in noise.
Defense: spectrum analyzers, WIPS RF detection, coordinate with security to find + remove the jammer.
Social engineering — brief but tested
CompTIA lists a handful you need to name:
- Phishing / spear-phishing / whaling — email lures. Whaling = C-suite target.
- Vishing — voice phishing.
- Smishing — SMS phishing.
- Pretexting — fabricated scenario (“I’m from IT, need your password”).
- Tailgating / piggybacking — following someone into a secure area.
Common exam / real-world mistakes
- Calling it MITM. N10-009 uses “on-path”. The old terminology still gets you the right answer, but new-style questions use the new term.
- Confusing rogue AP and evil twin. Rogue = unauthorized. Evil twin = unauthorized and impersonating an authorized SSID.
- Assuming HTTPS defeats ARP spoofing. HTTPS defeats content interception, but the attacker can still see SNI, still block traffic, still redirect to their own captive portal.
- Mixing up DHCP snooping and DAI. Both live on the switch. Snooping validates DHCP; DAI validates ARP by referencing the snooping table. Order: snooping first, DAI on top.
- Ignoring PMF for WPA2 networks. Deauth is trivial without PMF. Turn it on.
Cheat strip
Layer-2:
ARP spoof → DAI
DHCP spoof/starve → DHCP snooping
MAC flood → port-security
VLAN hopping → disable DTP, explicit trunks, unused native VLAN
DNS:
Poisoning → DNSSEC + port randomization
Hijacking → hardened resolvers, DoT/DoH
On-path (MITM): end-to-end TLS + pin + WPA3 + HSTS
DDoS:
Volumetric → upstream scrubbing
Protocol → SYN cookies, rate limits
Application → WAF, rate limits
Wireless:
Rogue AP → WIPS + wired-side detection
Evil twin → WPA3 SAE + WIPS
Deauth → PMF (802.11w) — mandatory in WPA3
Jamming → spectrum analyzer, physical location
Social eng:
phishing / vishing / smishing / whaling / pretexting / tailgating
Twisted-Pair Cable Categories — Cat 5, 5e, 6, 6a, 7, 8
Every twisted-pair category CompTIA Network+ (N10-009) tests: max speed, max distance, PoE class, when to pick each. Plus the shielding letters (U/UTP, F/UTP, S/FTP) that trip up half the room.
FortiGate Architecture — FortiOS, VDOMs, and the Session Table
How a FortiGate is built end-to-end: FortiOS on ASIC-accelerated hardware, the packet flow, VDOMs, admin access, factory reset, and the stateful session table NSE 4 asks about.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the Network+® exam blueprint. Free first session. No card on file until you decide.
Related topics
Cybersecurity Threats & Mitigation
The threat landscape every network engineer must recognize — phishing, ransomware, MITM, DDoS, supply-chain attacks, insider threats — and the mitigation controls that actually move the needle.
Security FundamentalsDHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
Security FundamentalsDynamic ARP Inspection (DAI)
The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.
Get the free CCNA 12-week roadmap
You're already reading up on Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where Common Network Attacks — On-Path, DNS Poisoning, DDoS, Deauth fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.