Network Attacks and Countermeasures: From Scanning to Man in the Middle

Hook / Why this matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Attackers start by understanding your network better than you do. Scanning, spoofing, hijacking, and interception are all standard moves. You do not need to memorize every exploit, but you must understand common attack patterns and what defenses limit them.

Core concept explained simply

Network attacks aim to discover systems, disrupt services, steal data, or hijack communications. They often follow a pattern:

1. Reconnaissance and scanning.
2. Initial exploitation.
3. Lateral movement and privilege escalation.
4. Data access and exfiltration.

Knowing typical techniques helps you design layered countermeasures.

Reconnaissance and scanning

Attackers begin by mapping your environment:

• Port scanning discovers which services are listening on which ports.
• Banner grabbing collects information about software versions and configurations.
• Network mapping identifies active hosts and network structure.

Countermeasures include:

• Limiting exposed services with firewalls.
• Obscuring internal details behind proxies and gateways.
• Detecting scans with IDS and rate limiting.

Spoofing and hijacking

Spoofing and hijacking attacks manipulate identity or state in network communications.

Examples include:

• IP spoofing, where attackers forge source IP addresses.
• ARP poisoning, where they send false ARP messages to redirect traffic on local networks.
• DNS poisoning, where they corrupt DNS responses to redirect users to malicious sites.
• Session hijacking, where they take over existing sessions by stealing cookies or tokens.

Defenses involve:

• Enforcing encryption and authentication on sensitive protocols.
• Using switch features like dynamic ARP inspection and DHCP snooping.
• Hardening DNS through secured configurations and, where appropriate, DNSSEC.
• Using secure session handling and regeneration after authentication events.

Man in the middle attacks

Man in the middle (MITM) attacks place the attacker between two communicating parties.

Common avenues include:

• ARP spoofing on local networks.
• Rogue Wi Fi access points impersonating legitimate SSIDs.
• Compromised or untrusted certificate authorities.

Countermeasures include:

• Using strong encryption with certificate validation (for example TLS with proper trust chains).
• Enabling security features on switches to prevent local spoofing where possible.
• Monitoring for rogue access points and unexpected certificates.

Denial of service and distributed denial of service

Denial of service (DoS) and distributed denial of service (DDoS) attacks attempt to overwhelm systems or networks.

They can target:

• Network bandwidth, saturating links.
• Systems or services, exhausting CPU, memory, or connection tables.

Defenses include:

• Capacity planning and over provisioning.
• Rate limiting and connection throttling.
• Upstream DDoS protection from ISPs or cloud providers.
• Redundancy and failover architectures.

Evasion techniques

Attackers use evasion to bypass detection:

• Fragmenting packets in unusual ways.
• Tunneling protocols inside other protocols.
• Obfuscating payloads.

Modern IDS and IPS systems include reassembly and normalization features to counter these techniques, but tuning and updates remain important.

CISSP lens

For Domain 4, your goals include:

• Knowing the names and general behavior of key network attack types. You should recognize ARP poisoning, DNS poisoning, DDoS, and MITM in scenarios.
• Mapping attacks to layers. Understand which OSI layers are affected and which controls apply.
• Selecting appropriate countermeasures. For each attack type, be able to name one or more effective defenses.
• Thinking in layers. No single control stops all attacks. Defense in depth is key.

On the exam, avoid answers that rely on obscurity alone or that apply the wrong control to the wrong layer.

Real-world scenario

An internal attacker connected a laptop to a conference room network that shared a VLAN with many user devices.

Using ARP spoofing tools, the attacker:

• Sent forged ARP replies so that other devices believed the attacker's MAC address was the default gateway.
• Intercepted traffic between workstations and the gateway.
• Captured credentials and session cookies for internal web applications.

Because internal traffic was largely unencrypted and there were no switch level protections, the attacker collected sensitive data for several hours.

After discovering the issue, the organization responded by:

• Enforcing encryption for internal web applications using HTTPS and modern TLS.
• Enabling switch security features such as DHCP snooping and dynamic ARP inspection where supported.
• Segmenting conference room and guest networks away from user and server networks.
• Deploying IDS sensors to detect ARP anomalies and unusual traffic patterns.

These changes made similar attacks much more difficult and easier to detect.

Common mistakes and misconceptions

Typical missteps include:

• Treating all attacks as generic hacking. Without understanding patterns, it is hard to pick appropriate defenses.
• Relying solely on perimeter firewalls. Many attacks occur inside the network or originate from compromised internal systems.
• Not requiring encryption on internal protocols. Assuming the internal network is trusted makes interception much easier.
• Ignoring DNS security. Open resolvers, poor configuration, and lack of monitoring leave DNS open to abuse.
• Underestimating DDoS as only a provider problem. Organizations should still plan for DDoS effects and coordinate with providers.

A CISSP should see internal trust assumptions as red flags and push for layered defenses.

Actionable checklist

To strengthen your defenses against common network attacks:

• Ensure administrative protocols and sensitive applications use encryption (HTTPS, SSH, secure management APIs) even on internal networks.
• Enable switch security features such as DHCP snooping, port security, and dynamic ARP inspection where supported and appropriate.
• Review DNS architecture, harden resolvers, restrict recursion, and consider DNSSEC for critical zones.
• Deploy IDS or IPS to monitor for scans, spoofing, and unusual patterns, and integrate alerts into your incident response process.
• Work with network and provider teams to understand available DDoS protection options and document response procedures.
• Include realistic network attack scenarios, such as MITM and DDoS, in incident response and tabletop exercises.

Key takeaways

• Network attacks follow recognizable patterns that you can prepare for.
• Internal networks are not inherently safe. Many attacks exploit internal trust.
• Encryption, segmentation, and device features all play roles in defending against network attacks.
• DDoS defense often depends on both local controls and upstream provider support.
• Understanding attack patterns helps you prioritize defenses and avoid chasing every exploit.

Optional exam-style reflection question

An attacker sends forged ARP replies on a local network so that traffic intended for the default gateway is sent to their machine instead. What type of attack is this, and what is a key countermeasure?

Answer: This is an ARP spoofing or ARP poisoning attack that enables man in the middle interception on a local network. Dynamic ARP inspection on switches, combined with DHCP snooping and static ARP entries for critical devices where appropriate, can help prevent this by validating ARP messages before accepting them.