SecurityNetwork+

Common Network Attacks for CompTIA Network+ N10-009

Identifying common network attacks is a major component of the Network+ N10-009 Security domain. You must recognize attack names, their methods, which layer they target, and their prevention. Exam questions present attack scenarios and ask you to identify the attack type or select the appropriate mitigation. Mastering attack recognition enables both the Security domain questions and many troubleshooting scenarios.

9 min

3 sections · 7 exam key points

1 practice questions

Reconnaissance and Scanning Attacks

Reconnaissance: gathering information about a target before launching an attack. Passive reconnaissance uses publicly available information (OSINT — Open Source Intelligence): WHOIS, DNS records, LinkedIn, social media, Shodan. Active reconnaissance directly probes the target: port scanning (nmap), ping sweeps, OS fingerprinting — these generate traffic and can be detected.

Port scanning: tools like nmap identify which ports are open on a target system. An open port indicates a running service — a potential attack entry point. Mitigation: firewall rules, IDS signatures for port scan patterns.

Network Layer Attacks

DoS (Denial of Service): overwhelming a target with traffic or requests to make it unavailable. DDoS (Distributed DoS): coordinated attack from thousands of compromised systems (botnet). Flood attacks: SYN flood (half-open TCP connections exhaust server resources), ICMP flood (ping flood), UDP flood. Mitigation: rate limiting, upstream filtering, DDoS scrubbing services.

Man-in-the-Middle (MitM): attacker positions themselves between two communicating parties, intercepting and potentially modifying traffic. Methods: ARP poisoning (fake ARP replies redirect traffic), DNS poisoning (fake DNS responses), rogue APs (Evil Twin attack). Mitigation: encryption (TLS/HTTPS makes MitM visible), HTTPS Strict Transport Security, certificate pinning, ARP Dynamic Inspection.

IP spoofing: forging the source IP address of packets. Used in DoS amplification attacks (reflecting responses to the victim's spoofed IP). Mitigation: ingress filtering (ISPs block traffic from their customers with spoofed source IPs — BCP38), uRPF (Unicast Reverse Path Forwarding).

Layer 2 and Wireless Attacks

ARP poisoning (ARP spoofing): sending fake ARP replies to associate the attacker's MAC with a legitimate IP. Victims send traffic to the attacker. Mitigation: Dynamic ARP Inspection (DAI), static ARP entries for critical devices.

MAC flooding: flooding a switch with fake MAC addresses to fill the CAM table. When the table is full, the switch behaves like a hub — flooding all traffic to all ports. Mitigation: port security limiting MAC addresses per port.

VLAN hopping: accessing a VLAN the attacker shouldn't be on. Methods: switch spoofing (attacker's device acts as a switch and negotiates a trunk) or double-tagging (attacker sends frames with two 802.1Q tags — outer tag is stripped, inner tag routes to target VLAN). Mitigation: disable DTP, set explicit access mode, change native VLAN from VLAN 1.

Evil Twin (rogue AP): attacker sets up a wireless AP with the same SSID as a legitimate network. Clients connect to the attacker's AP thinking it's the real network. Mitigation: wireless intrusion detection, client verification (802.1X), HTTPS everywhere.

Deauthentication attack: sending forged 802.11 deauthentication frames to disconnect clients. Used as DoS or to force clients to reconnect to an Evil Twin. Mitigation: 802.11w (Management Frame Protection).

Key exam facts — Network+

DoS = single source; DDoS = distributed botnet — overwhelm target with traffic
SYN flood = exhausts server connection table with half-open TCP connections
ARP poisoning: fake ARP replies redirect traffic through attacker — mitigation: DAI
MAC flooding: fill switch CAM table → switch floods all traffic
VLAN hopping: switch spoofing or double-tagging — mitigation: disable DTP, change native VLAN
Evil Twin: rogue AP with same SSID; deauth attack forces clients to reconnect
MitM: interception between parties — prevention: TLS encryption, certificate verification

Common exam traps

DoS attacks can only be prevented by having more bandwidth

While DDoS mitigation services (scrubbing centers) help, DoS attacks are also mitigated through rate limiting, SYN cookies, ingress filtering, anycast routing, and upstream provider filtering — not just buying more bandwidth

Practice questions — Common Attacks

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.An attacker sends thousands of forged ARP replies to clients in a subnet, associating their MAC address with the default gateway's IP. Traffic from clients is now intercepted. Which attack is this?

A.MAC flooding

B.VLAN hopping

C.ARP poisoning

D.DNS poisoning

Explanation: ARP poisoning (ARP spoofing) sends fake ARP replies associating the attacker's MAC address with a legitimate IP (the default gateway in this case). Clients update their ARP cache with the false mapping and send all their internet-bound traffic to the attacker's MAC — enabling a man-in-the-middle attack. Dynamic ARP Inspection (DAI) validates ARP packets against a DHCP snooping binding table to prevent this.

Frequently asked questions — Common Attacks

What is the difference between DoS and DDoS?

DoS (Denial of Service): a single attacker/system sends overwhelming traffic or exploits a vulnerability to make a target unavailable. Easier to block — source IP can be blocked. DDoS (Distributed Denial of Service): coordinated attack from thousands or millions of compromised systems (botnet). Extremely difficult to block — traffic comes from many legitimate-looking source IPs globally. DDoS mitigation requires scrubbing centers, anycast routing, and ISP cooperation.

Practice this topic

Network+practice questions

Test yourself on Common Attacks

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime