How TCP/IP Layers Shape Common Network Attacks: ARP, DoS, and DNS Explained

TCP/IP Protocol Stack

The TCP/IP suite is conventionally divided into four layers, each with distinct responsibilities and associated protocols:

Link layer : Handles transmission of frames over physical media (e.g., Ethernet) and interacts with network‑interface drivers.

Network layer : Centers on the IP protocol; performs routing, forwarding, and congestion control.

Transport layer : Provides end‑to‑end communication for applications via TCP (reliable, connection‑oriented) and UDP (connectionless).

Application layer : Implements user‑level protocols such as FTP, HTTP, and DNS for file transfer, web access, and name resolution.

ARP Attack

Address Resolution Protocol (ARP) maps an IPv4 address to a MAC address. Each host maintains an ARP cache; when a destination MAC is unknown, the host broadcasts an ARP request and caches the reply.

Attack method : An attacker sends forged ARP replies, inserting false IP‑MAC bindings into victims’ ARP caches. Repeated spoofed replies can flood the network, causing denial of service or enabling man‑in‑the‑middle interception.

Mitigation :

Enable port mirroring on switches and capture suspicious traffic for analysis.

Deploy DHCP snooping and IP source guard to restrict which MAC addresses may be associated with a given IP.

Use static ARP entries for critical hosts where feasible.

DoS Attack – SYN Flood

TCP establishes connections via a three‑way handshake: SYN → SYN‑ACK → ACK. The server allocates a half‑open state (SYN‑RECEIVED) for each incoming SYN and holds it until the final ACK arrives or a timeout expires.

Attack method : The attacker spoofs source IP addresses and floods the target with a high rate of SYN packets. The server’s backlog of half‑open connections fills, exhausting memory and CPU, and legitimate connection attempts are dropped.

Defensive measures :

Reduce the SYN‑RECEIVED timeout to free resources more quickly.

Enable SYN cookies, which encode connection state in the SYN‑ACK sequence number, eliminating the need to allocate state before the final ACK.

Filter anomalous SYN traffic using firewalls or intrusion‑prevention systems (e.g., rate‑limit SYNs per source IP).

DNS Attack

The Domain Name System (DNS) translates human‑readable domain names to IP addresses. Two common attack vectors target this translation process:

Domain hijacking : An attacker modifies DNS records (e.g., A, CNAME) on an authoritative server, causing users to be redirected to malicious IPs. This often requires compromise of the registrar or DNS provider.

DNS poisoning / spoofing : An attacker injects forged DNS responses into the resolution path, causing a resolver to cache incorrect mappings. This can be performed by race‑condition attacks during the query‑response window.

Mitigation strategies :

Use reputable DNS providers that support DNSSEC, which cryptographically signs records to prevent tampering.

Deploy DNSSEC validation on resolvers to reject unsigned or incorrectly signed responses.

Monitor DNS traffic for anomalous query patterns and unexpected record changes; generate alerts when suspicious activity is detected.