Chapter 4: Network, Web, and Social Engineering Attacks

Network protocols were largely designed for reliability and interoperability, not security. Attackers exploit the implicit trust baked into ARP, DNS, VLAN tagging, and BGP to redirect traffic, impersonate hosts, or manipulate routing at global scale.

1.1 ARP Spoofing

ARP maps IP addresses to MAC addresses on a local segment. Because ARP has no authentication, any host can broadcast a forged reply claiming to own any IP, and neighboring devices will update their caches.

1. Host A wants to reach the gateway (192.168.1.1) and has its MAC cached.
2. Attacker broadcasts: "192.168.1.1 is at ATTACKER_MAC" — a gratuitous ARP reply.
3. Host A updates its cache — all gateway-bound traffic now flows to the attacker.
4. Attacker forwards traffic onward (MitM) or drops it (DoS).

Detection: Duplicate IP-to-MAC entries in ARP tables; sudden MAC changes in switch CAM tables; arpwatch/XArp alerts on gratuitous replies.

Prevention: Dynamic ARP Inspection (DAI) validates ARP packets against DHCP snooping tables; static ARP entries for critical hosts; 802.1X port authentication.

1.2 DNS Cache Poisoning

DNS resolvers cache responses for performance. Cache poisoning injects fraudulent records so queries for a legitimate domain return an attacker-controlled IP. The classic Kaminsky attack raced forged responses against the legitimate authoritative server, exploiting predictable transaction IDs.

Consequences: Users redirected to phishing clones; MX records poisoned to intercept email; certificate validation undermined.

Prevention: DNSSEC (signs records cryptographically); DNS over HTTPS (DoH) / DNS over TLS (DoT); randomized source ports and transaction IDs; short TTLs on critical records.

1.3 VLAN Hopping

Prevention: Disable DTP (switchport nonegotiate); change native VLAN to unused ID (not VLAN 1); prune unused VLANs from trunks.

1.4 BGP Hijacking

BGP has no cryptographic authentication in the base protocol. A malicious AS can announce more-specific prefixes to divert global traffic. The 2008 Pakistan Telecom/YouTube incident accidentally redirected YouTube globally for two hours. The 2019 Rostelecom incident briefly redirected financial institution traffic.

Prevention: RPKI (cryptographic Route Origin Authorizations); BGPsec (signs full AS path); BGPmon anomaly monitoring.

A DoS attack makes a resource unavailable by overwhelming it with requests, exhausting protocol state, or consuming computational capacity. When originating from many distributed sources (a botnet), it becomes a DDoS attack.

DoS vs. DDoS

Attack Categories

Volumetric Attacks (Layer 3/4 — Bandwidth Exhaustion)

• UDP Flood: High-rate UDP packets to random ports; target must process each and send ICMP unreachable replies — exhausting CPU and bandwidth. Spoofed IPs prevent return traffic.
• ICMP Smurf Flood: ICMP echo requests to broadcast address with victim's spoofed source IP; every host replies to the victim (amplification).
• Amplification Attacks: Exploit protocols with large response/request ratios. DNS up to 179×; NTP monlist up to 556×; Memcached UDP up to 51,000×.

Protocol Attacks (Layer 3/4 — State Table Exhaustion)

• SYN Flood: Floods TCP SYN packets with spoofed IPs. Server allocates a TCB for each SYN before handshake completes; half-open connections persist 75 seconds. Table fills — legitimate connections refused.
• ACK/RST Flood: Forces stateful devices to perform expensive lookups for packets not matching any session.

Application-Layer Attacks (Layer 7 — Resource Exhaustion)

• HTTP Flood: Valid HTTP GET/POST at high volume, triggering DB queries and rendering per request.
• Slowloris: Opens many partial HTTP connections by sending headers slowly, tying up the server's connection pool with minimal bandwidth.
• ReDoS: Crafts input triggering catastrophic regex backtracking, exhausting CPU.

DDoS Mitigation Strategies

MitM attacks position the attacker between two communicating parties so all traffic flows through them. The victim believes they are communicating directly with the legitimate peer.

3.1 ARP-Based MitM

ARP spoofing poisons both the victim's ARP cache (gateway IP → attacker MAC) and the gateway's cache (victim IP → attacker MAC). With IP forwarding enabled on the attacker's system, traffic relays transparently while being inspected or modified.

3.2 SSL Stripping

SSL stripping downgrades an HTTPS connection to HTTP, allowing the attacker (already in MitM position) to intercept plaintext traffic even when the server supports TLS.

1. Victim's browser requests http://bank.example.com
2. Attacker intercepts the HTTP request
3. Attacker establishes a legitimate HTTPS connection to the server
4. Attacker serves victim an HTTP version, replacing all https:// links with http://
5. Victim communicates in plaintext to the attacker — no obvious browser warning

Prevention: HSTS instructs browsers to always use HTTPS for a domain; HSTS Preloading embeds the domain in browser preload lists before first connection; 301 redirects with HSTS headers.

3.3 Session Hijacking

Prevention: HttpOnly (prevents JS access) and Secure (HTTPS only) cookie flags; SameSite=Strict to prevent CSRF-assisted hijacking; regenerate session tokens on privilege escalation; short timeouts.

Web applications represent one of the largest attack surfaces in modern IT. The OWASP Top 10 provides a consensus ranking of the most critical risks. Injection vulnerabilities (A03) have consistently ranked at the top.

4.1 SQL Injection (SQLi)

SQLi occurs when untrusted input is incorporated into a database query without sanitization, letting an attacker alter query logic.

A vulnerable login query:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

With input ' OR 1=1 -- as the username:

SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'anything';

1=1 is always true; -- comments out the password check. Returns all users — typically grants admin access.

Prevention: Parameterized queries/prepared statements (single most effective control); input validation; least-privilege DB accounts; WAF as defense-in-depth.

# Vulnerable
cursor.execute("SELECT * FROM users WHERE id = " + user_input)

# Safe (parameterized)
cursor.execute("SELECT * FROM users WHERE id = ?", (user_input,))

4.2 Command Injection

User-supplied input passed unsanitized to a system shell allows execution of arbitrary OS commands with the web server's privileges.

# Vulnerable PHP — ping tool
$host = $_GET['host'];
system("ping -c 1 " . $host);

# Attacker input: 127.0.0.1; cat /etc/passwd
# Resulting command: ping -c 1 127.0.0.1; cat /etc/passwd

Common chaining operators: ; (always), && (if first succeeds), || (if first fails), $() (command substitution).

Prevention: Avoid shell calls entirely; use language-native libraries; if unavoidable use shell=False parameterized APIs; whitelist input characters; least-privileged web server account.

4.3 Cross-Site Scripting (XSS)

Prevention: Output encoding (HTML-encode all user data before rendering); Content Security Policy (CSP) blocks inline script execution; HttpOnly cookies prevent theft; avoid innerHTML/eval() — use textContent.

4.4 OWASP Top 10 Overview

Technical defenses can block most automated exploits, which is precisely why adversaries target the human layer. Generative AI has dramatically lowered the skill barrier and raised the realism ceiling for social engineering attacks.

5.1 Phishing Attack Taxonomy

5.2 Traditional Social Engineering Vectors

• Pretexting: Fabricated scenario to build trust before a request ("I'm from IT security...")
• Baiting: Malware-laden USB drives in parking lots — curiosity triggers execution
• Tailgating: Following an authorized person through a secured physical door
• Quid Pro Quo: Offering "free IT help" in exchange for credentials
• Watering Hole: Compromising a website frequently visited by the target organization

5.3 Generative AI and the New Attack Landscape

As of 2024-2025, 82.6% of phishing emails are AI-influenced, generating contextually accurate, grammatically perfect messages tailored to the recipient's industry, role, and recent activities scraped from LinkedIn, GitHub, and press releases. Traditional phishing tell-tales (grammar errors, generic salutations) have been eliminated.

AI voice cloning statistics (2024-2025):

• Voice cloning achieves 85% accuracy from 3 seconds of audio; up to 95% accuracy with more samples
• Vishing attacks surged 442-449% year-over-year in 2024-2025
• Deepfake-enabled vishing rose over 1,600% in Q1 2025 vs. Q4 2024
• 35% of people cannot distinguish a cloned voice from the real person; 25% of employees have been deceived
• AI-generated fraud costs organizations avg. $14M/year; global losses projected $40B by 2027

Hong Kong CFO incident (2024): An employee attended a video conference with apparent colleagues including the CFO — all were AI-generated deepfake avatars. The employee authorized a ~$25 million USD wire transfer, believing the request was legitimate. Deepfakes have reached quality sufficient to deceive trained professionals in real-time video contexts.

5.4 AI-Enhanced Attack Patterns

5.5 Detection and Awareness Strategies

Technical controls: STIR/SHAKEN (cryptographic caller ID signing); liveness detection (randomized challenge for biometrics); AI-based email analysis; DMARC/DKIM/SPF (prevent domain spoofing).

Procedural controls: Out-of-band verification for any high-risk request using a separately established trusted channel; pre-arranged code words for executive/finance teams; callback procedures using independently looked-up numbers.

Awareness training updates for AI era:

1. AI eliminates grammar/spelling as phishing indicators — train employees not to rely on these
2. Demonstrate voice-cloning examples so employees understand the realism achievable
3. Train verification procedures for urgent, out-of-policy financial or access requests
4. Conduct simulated AI phishing campaigns to measure resilience
5. Establish a "verification culture" where out-of-band confirmation is normalized and rewarded