This is a tour of the most common network-layer attacks. We’ll cover what they do, how they work, and how we defend against each.
DDoS — Distributed Denial of Service
The attacker overwhelms our service with so much traffic that real users can’t get in. “Distributed” means traffic comes from thousands of compromised machines (a botnet), so we can’t just block one IP.
DDoS comes in three flavors based on which layer they target:
Volumetric (Layer 3/4)
Floods the pipe with raw bandwidth — UDP floods, ICMP floods, DNS amplification. Measured in Gbps or Tbps. The goal is to saturate the network link before traffic even reaches the server.
Defense: scrubbing services (Cloudflare, AWS Shield, Akamai), large upstream bandwidth, BGP blackholing.
Protocol (Layer 4)
Exploits how TCP/UDP works. SYN flood is the classic — attacker sends millions of TCP SYN packets but never completes the handshake. The server holds half-open connections until its socket table fills up.
Defense: SYN cookies (server doesn’t allocate state until the third handshake packet), tcp_syncookies=1 on Linux, connection rate limits.
Application (Layer 7)
Looks like real HTTP traffic but specifically targets expensive endpoints. A few thousand requests per second to /search?q=* can take a database down without using much bandwidth.
Defense: rate limiting, WAF rules, bot detection, CAPTCHA, caching.
MITM — Man in the Middle
Attacker sits between client and server, reading and possibly modifying traffic. Common on public WiFi.
How it works: the attacker tricks the victim into routing traffic through them — via ARP spoofing on a LAN, a fake WiFi access point, or a rogue cert.
Defense:
- HTTPS everywhere — TLS authenticates the server via certificates, so a MITM can’t impersonate the real site without a valid cert.
- HSTS — tells browsers “always use HTTPS for this domain, never accept HTTP.”
- Certificate pinning — mobile apps pin specific cert fingerprints so even a compromised CA can’t issue a fake cert.
- VPNs on untrusted networks.
ARP Spoofing
ARP (Address Resolution Protocol) maps IPs to MAC addresses on a LAN. There’s no authentication. An attacker on the same LAN sends fake ARP replies saying “I’m the router,” and traffic from victims now flows through them.
Defense: static ARP entries (impractical at scale), Dynamic ARP Inspection on managed switches, port security, monitoring tools like arpwatch.
DNS Spoofing / Cache Poisoning
Attacker tricks a DNS resolver into caching a fake mapping (bank.com -> attacker IP). Now every user of that resolver gets sent to the attacker’s server.
The classic technique was the Kaminsky attack (2008) — guessing transaction IDs to inject fake responses.
Defense:
- DNSSEC — DNS responses are cryptographically signed by the zone owner.
- DNS over HTTPS (DoH) / DNS over TLS (DoT) — encrypts the resolver path.
- Random source ports + 0x20 encoding to make spoofing harder.
Replay Attack
Attacker captures a valid encrypted message (say, a payment authorization) and replays it later to make the action happen twice.
The packet is still encrypted — they don’t read it, they just resend it.
Defense:
- Nonces — random one-time values in every request; server rejects duplicates.
- Timestamps — reject anything older than N seconds.
- Sequence numbers — TLS does this internally; every record has an incrementing counter.
Quick Reference
Interview Tip
For each attack, an interviewer wants three things: what it does, how it works at the protocol level, and at least one mitigation. Don’t just say “use HTTPS” for everything — show that we understand which layer the attack hits.