ARP Poisoning · MITM · DoS/DDoS · Wireshark · IDS/IPS · Evasion · NetFlow Analysis
Study with Practice Tests →Six core areas covering how attackers intercept traffic, launch denial-of-service campaigns, and evade detection systems — plus how defenders use IDS/IPS, packet captures, and NetFlow to catch them.
ARP is stateless and unauthenticated, so attackers send gratuitous ARP replies mapping their MAC to a legitimate IP. Victims update their ARP cache and forward traffic to the attacker. Defense: Dynamic ARP Inspection (DAI) on managed switches validates ARP against the DHCP snooping table.
Man-in-the-middle techniques include ARP poisoning (LAN), SSL stripping (downgrade HTTPS→HTTP), BGP hijacking (route redirection), DNS spoofing, and HTTPS interception with rogue CA certs. Each requires a specific defense: HSTS, RPKI, DNSSEC, cert pinning.
Four attack categories: Volumetric (flood bandwidth — UDP/ICMP floods), Protocol (exhaust state — SYN flood), Application Layer L7 (mimic legit traffic — Slowloris, HTTP flood), and Amplification (small query → huge response — DNS ANY, NTP monlist). SYN cookies defend against SYN flood; BCP38 counters amplification.
Wireshark and tcpdump capture traffic in promiscuous mode. Key display filters isolate SYN scans, HTTP, DNS, and specific hosts. Indicators in PCAPs include beaconing (C2 intervals), DNS tunneling (long base64 queries), cleartext credentials, and unusual port usage.
IDS is out-of-band (alerts only); IPS is inline (blocks traffic). Detection methods: signature-based (fast, misses zero-days), anomaly-based (behavioral baseline, catches zero-days but higher false positives), and heuristic/hybrid. Evasion: fragmentation, encoding, TTL manipulation, timing attacks, traffic flooding.
NetFlow captures flow metadata (src/dst IP, ports, protocol, bytes, duration) without payload — scalable for large networks. SIEM correlates logs from firewall, IDS, endpoint, DNS, and AD to detect C2 beaconing, lateral movement (east-west spikes), and data exfiltration (large outbound to unknown IPs).
ARP's stateless, unauthenticated design is the root cause of LAN-based MITM attacks. Understanding the full technique chain — and each layer's defense — is essential for GCIH.
| Technique | Mechanism | Tools | Defense |
|---|---|---|---|
| ARP Poisoning MITM | Poison LAN ARP cache to intercept traffic | arpspoof, Ettercap, Bettercap | DAI, static ARP, 802.1X |
| SSL Stripping | Downgrade HTTPS → HTTP; victim sends plaintext | sslstrip | HSTS, HSTS preloading |
| BGP Hijacking | Rogue AS announces more-specific route; internet traffic redirected | Custom BGP config | RPKI (Resource Public Key Infrastructure), BGP route filtering |
| HTTPS MITM | Rogue CA cert or cert pinning bypass to intercept TLS | mitmproxy, Burp Suite | Certificate pinning, certificate transparency logs |
| DNS Poisoning / Spoofing | Corrupt DNS resolver cache to redirect traffic to attacker IP | DNSChef, Ettercap | DNSSEC, DNS over HTTPS (DoH) |
https://bank.com — attacker intercepts and fetches HTTPS page themselvesSame IP mapped to multiple MACs in ARP table, or the gateway's MAC changes unexpectedly. Run arp -a to inspect. IDS signatures detect gratuitous ARP floods.
Unexpected certificate warnings in browsers indicate a rogue cert in the chain. Certificate transparency logs expose mis-issued certs. Browser cert pinning failures also signal HTTPS MITM.
Unexpected latency increases indicate traffic is taking an extra hop through the attacker. PCAP analysis shows traffic routed through an unexpected intermediate MAC address.
DoS and DDoS attacks range from simple bandwidth exhaustion to sophisticated application-layer exploits. Recognizing the type determines the correct mitigation strategy.
| Type | Mechanism | Example Attacks | Defense |
|---|---|---|---|
| Volumetric | Flood available bandwidth | UDP flood, ICMP flood (ping of death), DNS amplification | Upstream scrubbing centers, rate limiting, null routing |
| Protocol | Exploit protocol weaknesses to exhaust server state | SYN flood (half-open connections exhaust TCB), Smurf attack (ICMP broadcast amplification) | SYN cookies, ingress filtering (BCP38), firewall state limits |
| Application Layer (L7) | Mimic legitimate traffic to exhaust app resources | HTTP flood (GET/POST), Slowloris (keep connections open with slow headers), RUDY (slow POST body) | WAF, rate limiting, CAPTCHA, connection timeouts |
| Amplification | Small spoofed query triggers large response directed at victim | DNS amplification (ANY query), NTP amplification (monlist), SSDP amplification | BCP38 ingress filtering, disable unnecessary services, rate-limit UDP responses |
| Protocol | Attack Vector | Bandwidth Amplification Factor | Mitigation |
|---|---|---|---|
| DNS | ANY query to open resolver | ~70x | Disable ANY queries, rate-limit responses |
| NTP | monlist command | ~556x | Disable NTP monlist (noquery) |
| SSDP | UPnP discovery | ~30x | Block SSDP at perimeter (UDP 1900) |
| LDAP | Connectionless LDAP (CLDAP) | ~46–55x | Block CLDAP externally (UDP 389) |
Effective network defense requires mastering capture tools, detection architectures, evasion techniques, and flow-based anomaly detection.
ip.addr == 192.168.1.1 — filter by IP (src or dst)tcp.port == 443 — filter by TCP porthttp — show all HTTP trafficdns — show DNS queries and responsestcp.flags.syn == 1 && tcp.flags.ack == 0 — SYN only (not SYN-ACK); identifies port scansframe contains "password" — search payload for stringtcpdump -i eth0 -w capture.pcap — capture to file on interface eth0tcpdump host 192.168.1.1 and port 80 — filter by host and porttcpdump -r capture.pcap — read from saved filetcpdump -i eth0 -nn -X — no name resolution, show hex and ASCII payloadaGVsbG8=.evil.com)| Feature | IDS (Intrusion Detection System) | IPS (Intrusion Prevention System) |
|---|---|---|
| Network Position | Out-of-band (passive tap / SPAN port) | Inline (traffic passes through device) |
| Action on Detection | Alert only — logs and notifies | Alert and block — drops/rejects traffic |
| False Positive Impact | Low impact — only generates alert noise | High impact — blocks legitimate traffic |
| Latency Added | None — traffic not affected | Adds inspection latency to all traffic |
| Deployment Risk | Low — can't disrupt traffic | High — inline failure can block all traffic |
| Best Use Case | Monitoring, forensics, alert tuning | Active blocking of known threats in production |
Matches traffic against a database of known attack patterns (rules/signatures). Fast with low false positives. Cannot detect zero-day attacks or unknown variants. Requires regular signature updates. Examples: Snort rules, Suricata rules.
Establishes a baseline of normal network behavior, then alerts on significant deviations. Capable of detecting zero-day attacks and novel techniques. Higher false positive rate — unusual-but-legitimate activity triggers alerts. Requires a learning/baselining period.
Heuristic uses rule-based pattern matching beyond exact signatures — catches variants of known attacks. Hybrid combines signature + anomaly detection to balance catch rate and false positive rate. Most modern IDS/IPS products use hybrid approaches.
| Technique | How It Works | IDS Counter |
|---|---|---|
| Fragmentation | Split attack payload across multiple small IP fragments so no single fragment matches a signature | IDS reassembles fragments before inspection (full-stream reassembly) |
| Protocol Ambiguity | Send malformed packets that IDS and target parse differently — IDS sees harmless traffic, target sees attack | Strict protocol conformance checking; normalize packets before inspection |
| Polymorphism/Encoding | Encode payload (Base64, XOR, URL encoding, shellcode obfuscation) so signature doesn't match the encoded form | Decode and normalize content before signature matching |
| TTL Manipulation | Send decoy packets with TTL that expires before reaching target but after passing IDS — IDS inspects decoys, target ignores them | Normalize TTL values; maintain stateful inspection across flows |
| Traffic Flooding | Overwhelm IDS with high-volume noise to cause alert dropping or resource exhaustion | Rate-based alert throttling; hardware-accelerated inspection; alert prioritization |
| Timing Attacks (Slow) | Send attack very slowly (e.g., Slowloris) — below detection thresholds, session timeouts trigger before IDS correlates events | Long session tracking; behavioral anomaly detection on connection duration |
Test your knowledge of ARP poisoning, DoS types, IDS/IPS, and packet analysis. Select one answer per question, then submit all at once.
Six memory anchors to solidify the most exam-critical concepts in this topic.
Flip cards to self-test, then use the advisor to drill into any topic area.
Click any card to reveal the answer
Select a topic area to get targeted study guidance.
arp -a and look for duplicate IPs mapping to different MACs, or gateway MAC changes