Common Network Attacks Every Admin Should Recognize

Defending a network requires understanding how it can be attacked. The categories below cover the common attack patterns you’ll see in security training, certifications, and real incident reports. We’re describing them at a conceptual level so defenders can recognize them — not providing attack tools.

Man-in-the-Middle (MitM)

Attacker positions themselves between two parties, relays messages between them, and reads or modifies traffic in transit. Both sides think they’re talking directly to each other.

How it happens

• Rogue Wi-Fi access point with same SSID as a legitimate network
• ARP poisoning on a local network
• BGP hijack at the internet level
• Compromised certificate authority issuing fake certs

Defense

• Use HTTPS with valid certs (TLS prevents reading even if traffic is intercepted)
• HSTS headers (browser refuses non-HTTPS for the domain)
• Certificate pinning for sensitive apps
• VPN on untrusted networks

ARP poisoning (ARP spoofing)

On a local network, devices use ARP to map IP addresses to MAC addresses. ARP has no authentication. An attacker on the same LAN can broadcast forged ARP replies, redirecting traffic for any IP to themselves.

Defense

• Static ARP entries for critical hosts (gateway, servers)
• Dynamic ARP Inspection on managed switches
• Network segmentation (VLANs limit blast radius)
• Detection: tools like arpwatch alert when ARP mappings change

DNS spoofing / cache poisoning

Attacker tricks a DNS resolver into caching a wrong answer. Subsequent queries get the bad IP. Famously demonstrated by Dan Kaminsky in 2008.

Defense

• DNSSEC (cryptographically signed responses)
• Source port randomization (already enabled on modern resolvers)
• DNS-over-HTTPS or DNS-over-TLS (encrypted, authenticated)
• Use trustworthy resolvers (1.1.1.1, 9.9.9.9)

DDoS (Distributed Denial of Service)

Many attacker-controlled machines flood a target with requests, exhausting bandwidth, CPU, memory, or connection capacity. Three categories:

• Volumetric — raw bandwidth flooding (UDP floods, amplification attacks). Measured in Gbps or Tbps.
• Protocol — exhaust connection state (SYN floods, fragmented packets). Measured in packets per second.
• Application-layer — slow HTTP requests, login form spam, expensive queries. Smaller volume but harder to filter.

Defense

• CDN / DDoS-protection service (Cloudflare, AWS Shield, Akamai)
• Rate limiting at the application layer
• SYN cookies (already on by default on modern Linux)
• Anycast — distribute the impact across many edge nodes
• Black-hole or scrubbing routes for known-bad sources

Packet sniffing

Reading traffic that wasn’t meant for you. Trivial on hubs (every port sees everything). Possible on switches via ARP poisoning, port mirroring, or compromising the switch.

Defense

• Encrypt all traffic (HTTPS, SSH, VPN)
• Switched networks instead of hubs
• Network segmentation

Port scanning and reconnaissance

Attacker scans your network looking for open ports, OS versions, vulnerable services. Usually a precursor to actual attacks. Tools: nmap, masscan.

Defense

• Default-deny firewall rules
• Expose only services you actually use
• IDS to detect scan patterns
• Rate limiting on connection attempts

Phishing / social engineering

The most successful attack vector. Trick a user into entering credentials on a fake site or clicking a malicious link. Not a “network” attack technically, but most network breaches start here.

Defense

• User training (phishing simulations)
• MFA on every account that supports it
• Hardware security keys for high-value accounts
• Email filtering (SPF, DKIM, DMARC)
• Web filtering for known phishing domains

Lateral movement

Once inside a network (via phishing, exposed service, etc.), attackers move sideways looking for higher-value targets. They may pivot through ten machines before reaching their actual goal.

Defense

• Network segmentation — workstations can’t directly reach databases
• Least-privilege access on every system
• Strong host firewalls even inside the perimeter
• EDR on every endpoint
• Centralized logging — detect lateral patterns

The mindset

Modern security assumes the perimeter will be breached. “Zero trust” architecture means every connection is authenticated, authorized, and encrypted, even between internal services. Every layer is a defender’s last layer.

What to learn next

Network segmentation and VLANs — the structural defense that limits blast radius when (not if) something gets compromised. Up next.