Mastering Common TCP/IP Attacks: From IP Spoofing to DDoS and MITM

Introduction

The article provides a comprehensive review of typical TCP/IP attacks, aiming to give readers a solid understanding of how these threats work and how to experiment with them safely.

1. IP Spoofing

IP spoofing involves forging the source IP address of a packet so that the victim believes it originates from a trusted host. An attacker can send TCP segments with a forged IP (e.g., 1.1.1.1) and a RST flag to terminate legitimate connections, forcing the victim to re‑establish sessions.

2. SYN Flood

SYN flooding exploits the three‑way handshake of TCP. The attacker sends a large number of SYN packets, often with spoofed source addresses, causing the server to allocate half‑open connections and exhaust resources. The handshake steps are:

SYN from client to server.

SYN‑ACK from server to client.

ACK from client to server (often never arrives).

When the server cannot complete the handshake, it keeps the half‑open state, eventually running out of memory or CPU.

3. UDP Flood

UDP flooding sends massive UDP datagrams to a target port, overwhelming the server’s processing capacity and, if the port is closed, causing the server to generate ICMP Destination‑Unreachable messages. The attack can be amplified by spoofing source IPs to hide the attacker’s location.

4. TCP Reset Attack

A TCP reset attack forges a packet with the RST flag set and a sequence number matching the ACK number of an existing connection. When the victim receives this packet, it immediately tears down the TCP session. The steps to craft such a packet are:

Sniff the traffic between the two endpoints.

Capture a packet with the ACK flag set and note its ACK number.

Forge a TCP packet with RST=1, source/destination swapped, and sequence number equal to the captured ACK number.

Send the forged packet to one or both endpoints.

5. Man‑in‑the‑Middle (MITM) Attack

MITM attacks intercept and possibly modify traffic between two parties. The attacker establishes separate connections with each side, relaying and altering data while both victims believe they are communicating directly.

6. Cryptographic Foundations

The article briefly covers symmetric encryption (DES, IDEA, AES, SM1/SM4), asymmetric encryption (RSA, ECC, SM2), and hash algorithms (MD5, SHA‑1/2, SM3). It explains how digital signatures and certificates create a chain of trust, preventing tampering and repudiation.

7. DDoS Overview and Mitigation

DDoS (Distributed Denial‑of‑Service) attacks combine many compromised hosts to flood a target with traffic, using techniques such as SYN flood, UDP flood, ICMP flood, NTP flood, DNS query flood, etc. Mitigation strategies include high‑capacity servers, blacklists, traffic scrubbing (cleaning), and CDN acceleration.

8. Practical Lab

The hands‑on portion demonstrates how to reproduce a TCP reset attack on a local machine:

Start a TCP listener with nc -nvl 8000 on one terminal.

Connect to it from another terminal using nc 127.0.0.1 8000.

Write a Python script that uses scapy to sniff on lo0, filter packets for the chosen ports, and print packet details.

Modify the script’s prn callback to craft and send forged RST packets based on captured traffic.

Run the script while the netcat connection is active; the connection will be abruptly terminated.

Additional experiments include varying the forged sequence number, observing traffic with Wireshark, and testing the impact of faster data streams.

Conclusion

Understanding these attacks equips readers for interview questions and real‑world security assessments, emphasizing that most network attacks stem from protocol weaknesses that can be mitigated with proper configuration, encryption, and traffic monitoring.