Understanding TCP/IP Layers and Common Network Attacks: ARP, DoS, DNS

According to the first half‑year Chinese Internet security monitoring report, malicious program control servers and DDoS attacks continue to rise, making network attacks a major factor affecting information and business security.

Network attacks exploit vulnerabilities in hardware, software, and data by targeting flaws in the TCP/IP protocol suite, which was not originally designed to withstand modern threats.

TCP/IP Protocol

The industry typically divides the TCP/IP stack into four layers: link, network, transport, and application.

Link layer handles data transmission over physical media such as Ethernet and implements network driver interfaces.

Network layer uses the IP protocol for routing and forwarding packets, providing inter‑network connectivity and congestion control.

Transport layer offers end‑to‑end communication for applications, defining TCP and UDP protocols.

Application layer processes application logic, including file transfer (FTP), web traffic (HTTP), and name resolution (DNS).

Because each TCP/IP layer has distinct functions and protocols, attacks vary by layer:

Link‑layer attacks target hardware and infrastructure, such as physically damaging devices or altering router routes.

Network‑layer attacks include IP fragmentation and ARP spoofing.

Transport‑layer attacks are numerous, featuring DoS techniques that exploit TCP/UDP vulnerabilities.

Application‑layer attacks are the most prevalent, with DNS spoofing as a common example.

ARP Attack

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses and maintains an ARP cache on each host. When a host needs a MAC address, it broadcasts an ARP request; the owner replies with its MAC.

Attackers forge IP and MAC addresses to send counterfeit ARP replies, poisoning the victim’s ARP cache, causing network disruption or enabling man‑in‑the‑middle attacks.

Although ARP attacks require only a local Ethernet segment and low skill, they can cause severe issues such as network outages, bandwidth throttling, and credential theft. Defenses include network mirroring on switches, DHCP snooping, and IP source guard.

DoS Attack

TCP is a connection‑oriented, reliable protocol that establishes connections via a three‑step handshake: SYN, SYN‑ACK, and ACK.

DoS attacks aim to overwhelm a host or network, preventing legitimate traffic from being processed. Common methods include repeatedly sending connection requests or exploiting protocol flaws to consume resources.

Repeated connection requests saturate the server, blocking legitimate traffic.

Protocol‑level exploits flood the system with malformed packets, causing crashes.

SYN flood is the most typical DoS variant: attackers spoof source IPs and send massive SYN packets, leaving the target with half‑open connections until resources are exhausted.

Mitigation strategies involve traffic filtering, shortening SYN timeout, and deploying SYN cookies to drop suspicious repeated SYNs.

DNS Attack

DNS translates human‑readable domain names into IP addresses. Compromising DNS records enables domain hijacking, redirecting users to malicious sites.

Domain hijacking is often perpetrated by malicious DNS providers; switching to trusted providers mitigates this risk.

Other DNS attacks include domain poisoning or spoofing, where attackers inject false responses during the query‑response interval, causing clients to receive incorrect IP addresses.

Security Recommendations

To combat network attacks, organizations should raise security awareness, enforce robust firewall policies, and perform packet capture and decoding to trace malicious activity.

By continuously monitoring network traffic for anomalous patterns and configuring alerts based on attack signatures, security teams can quickly locate and mitigate threats.

Source: 136.la/jingpin/show-19936.html