Understanding TCP/IP Layers and Common Network Attacks: ARP, DoS, DNS

Network Attack Landscape

Recent monitoring data show a continuous increase in network‑level attacks such as malicious server control and denial‑of‑service (DDoS) incidents. Because the TCP/IP suite was designed before modern threat models, many of its protocols can be abused at each layer.

TCP/IP Protocol Stack

Link Layer : Handles transmission over physical media (e.g., Ethernet) and provides the network‑driver interface.

Network Layer : Core IP protocol responsible for routing, forwarding, and congestion control.

Transport Layer : Supplies end‑to‑end communication via TCP (connection‑oriented) and UDP (connectionless).

Application Layer : Implements protocols such as FTP, HTTP, and DNS that serve user‑level services.

Because each layer exposes distinct functionality, attackers target the corresponding protocols:

Link‑layer attacks disrupt hardware or manipulate routing tables.

Network‑layer attacks include IP fragmentation and ARP spoofing.

Transport‑layer attacks exploit TCP/UDP weaknesses (e.g., SYN flood).

Application‑layer attacks such as DNS spoofing are the most numerous.

ARP Attack (ARP Spoofing / Poisoning)

ARP (Address Resolution Protocol) maps an IPv4 address to a MAC address. Each host maintains an ARP cache; when a destination MAC is unknown, the host broadcasts an ARP request and caches the reply.

In an ARP poisoning attack the attacker repeatedly sends forged ARP reply packets, associating the victim’s IP address with the attacker’s MAC address. This overwrites the legitimate entry in the victim’s ARP cache, causing traffic to be redirected to the attacker (man‑in‑the‑middle) or dropped entirely.

Mitigation techniques include:

Enabling port mirroring on switches to capture suspicious ARP traffic.

Deploying DHCP snooping and IP source guard to restrict which MAC addresses can claim a given IP.

Using static ARP entries for critical servers.

Denial‑of‑Service (DoS) Attack

TCP establishes a reliable connection through a three‑step handshake:

SYN : Client sends a SYN packet, entering SYN_SENT state.

SYN‑ACK : Server replies with SYN‑ACK, entering SYN_RECV state.

ACK : Client acknowledges with ACK, completing the connection.

A SYN flood exploits this handshake by sending a massive number of SYN packets with spoofed source addresses. The server allocates resources for each half‑open connection and waits for the final ACK, which never arrives. When the backlog is exhausted, legitimate connection attempts are dropped, resulting in a denial of service.

Common mitigation measures:

Deploy SYN cookies – the server encodes connection state in the SYN‑ACK sequence number, avoiding allocation of resources until the ACK is received.

Reduce the SYN‑RECEIVED timeout to free half‑open entries more quickly.

Filter traffic with rate‑limiting or ACLs that drop excessive SYNs from a single source.

Use intrusion‑detection systems (IDS) to detect and block SYN‑flood patterns.

DNS Attack

DNS translates human‑readable domain names to IP addresses. Attackers can compromise this process in several ways:

Domain hijacking : An attacker gains control of the authoritative name server or modifies DNS records, causing users to be redirected to malicious sites.

DNS poisoning / spoofing : Forged DNS responses are injected before legitimate replies arrive, causing resolvers to cache incorrect IP addresses.

Cache poisoning : Malicious records are inserted into a recursive resolver’s cache, affecting all downstream clients.

Defensive actions include DNSSEC deployment (cryptographic signing of DNS data), restricting zone transfers, and monitoring for anomalous DNS query patterns.

Practical Security Recommendations

Continuously capture network traffic (e.g., with tcpdump or dedicated sensors) and decode packets to detect anomalies such as unexpected ARP replies or abnormal SYN rates.

Configure alerts for known attack signatures (e.g., high ARP reply volume, SYN‑flood thresholds).

Enforce strict firewall policies that limit unnecessary inbound traffic and block spoofed packets.

Apply hardening measures per protocol layer: enable port security on switches, enable DHCP snooping, enable SYN‑cookie support on servers, and enable DNSSEC on resolvers.

Regularly audit and update firmware/software to patch protocol‑level vulnerabilities.