Understanding TCP/IP Protocol Layers and Common Network Attacks (ARP Spoofing, DoS, DNS)

According to the 2020 first‑half China Internet security monitoring report, malicious program control servers and DDoS attacks continue to rise, making network attacks a primary threat to both network and business information security.

Network attacks exploit vulnerabilities and security flaws in network hardware, software, and data; the TCP/IP protocol suite, designed without security considerations, provides many avenues for such attacks, and automatic packet capture and decoding can quickly detect and trace them.

TCP/IP Protocol

The industry generally divides the TCP/IP stack into four layers: Link, Network, Transport, and Application.

The Link layer handles data transmission over physical media (e.g., Ethernet, token ring) and implements network driver programs for NIC interfaces.

The Network layer centers on the IP protocol, responsible for routing and forwarding packets, inter‑network connectivity, and congestion control.

The Transport layer provides end‑to‑end communication between host applications, defining the TCP and UDP protocols.

The Application layer processes application logic such as file transfer, name resolution, and network management; protocols include TCP‑based FTP, HTTP, and UDP‑based DNS.

Because each TCP/IP layer has distinct functions and protocols, attacks target each layer differently:

Link‑layer attacks focus on physical damage or routing manipulation; Network‑layer attacks include IP fragmentation and ARP spoofing; Transport‑layer attacks are numerous, such as DoS attacks; Application‑layer attacks are the most abundant, with DNS spoofing being a typical example.

ARP Attack

ARP (Address Resolution Protocol) maps an IP address to a MAC address and maintains an ARP cache on each host. When a host needs a MAC address, it checks its cache; if missing, it broadcasts an ARP request.

Upon receiving an ARP request, the target replies with its MAC address, which the requester stores in its ARP cache.

An ARP attack forges IP and MAC addresses to poison the ARP cache, flooding the network with bogus ARP replies, causing cache entries to be overwritten, leading to network interruption or man‑in‑the‑middle attacks; this is also known as ARP spoofing.

Although ARP attacks only work on Ethernet and are low‑skill, they can cause network outages, traffic throttling, or account theft. Defenses include deploying network mirroring on switches, capturing suspicious packets, and using DHCP listening or IP source protection techniques.

DoS Attack

TCP is a connection‑oriented, reliable protocol that reduces bandwidth overhead through retransmission handling.

The TCP three‑way handshake establishes a connection: the client sends a SYN packet, the server replies with SYN‑ACK, and the client finalizes with ACK.

DoS (Denial of Service) attacks aim to make a host or network unable to process legitimate requests, often by flooding with useless traffic, repeatedly opening connections, or exploiting protocol flaws to exhaust resources, causing crashes.

The most common form is SYN flood: the attacker spoofs source IPs and sends numerous SYN packets; the victim replies with SYN‑ACK to non‑existent addresses, leaving many half‑open connections that eventually exhaust resources.

Mitigation strategies include traffic filtering, shortening SYN timeout, and deploying SYN cookies to drop repeated SYNs from the same IP within a short period.

DNS Attack

IP routing requires numeric IP addresses, which are hard to remember; DNS translates human‑readable domain names to IP addresses.

If a DNS record is maliciously altered, users are redirected to incorrect IPs—a practice known as domain hijacking. The primary perpetrators are DNS service providers; replacing or changing the DNS server can mitigate the issue.

Another common DNS attack is DNS poisoning (or spoofing), where an attacker injects forged responses before the legitimate reply arrives, causing the client to receive an incorrect IP address.

To combat network attacks, organizations should raise security awareness, strengthen firewalls, and analyze packet data. Using network performance management tools (e.g., TianDan NPM) that support automatic detection of suspicious packets—including TCP scans, ARP attacks, and DoS—helps generate alerts and ensure normal data transmission.

Thank you for reading, hope this helps :) Source: blog.csdn.net/daocaokafei/article/details/116176790

Java Advanced Learning Resources (Shared)

Instead of endlessly searching for problems online, follow us now! Click “Read” and “Star” to ensure new articles appear promptly in your subscription list.