Objective 2.4High Priority11 min read

Network Attack Indicators

Recognition of network-based attacks including DDoS (amplified and reflected), DNS attacks (poisoning, spoofing), wireless attacks (evil twin, deauth), on-path attacks (MITM), and credential replay attacks.

Understanding Network Attack Indicators

Network attacks target the communication infrastructure that connects systems. Recognizing attack indicators in network traffic and behavior enables early detection and response before significant damage occurs.

Key network attack categories:Denial of Service — DDoS, amplification, reflection attacks • DNS attacks — Poisoning, spoofing, hijacking • Wireless attacks — Evil twin, deauthentication, rogue AP • On-path attacks — Man-in-the-middle, interception • Credential attacks — Replay, session hijacking

Network monitoring and traffic analysis are essential for detecting these attacks.

Why This Matters for the Exam

Network attack indicators are heavily tested on SY0-701. Questions describe traffic patterns or network behaviors and ask you to identify the attack type.

Understanding these indicators helps with security monitoring, intrusion detection configuration, and incident response. Real-time detection of network attacks can prevent breaches.

The exam tests specific terminology (amplification vs. reflection) and the ability to recognize attacks from their indicators.

Deep Dive

Distributed Denial of Service (DDoS)

Overwhelming targets with traffic from multiple sources.

DDoS Types:

TypeMethodIndicators
VolumetricFlood with trafficBandwidth saturation, slow speeds
ProtocolExploit protocol weaknessesConnection table exhaustion, SYN floods
ApplicationTarget app layerSlow HTTP, resource exhaustion

Amplification Attacks:

  • Attacker sends small request
  • Response is much larger (amplified)
  • Common amplification protocols: DNS (70x), NTP (500x), SSDP (30x)

Amplification Indicators:

  • Large amounts of UDP traffic from specific services
  • Traffic volume far exceeds request volume
  • Queries to services you don't use internally

Reflection Attacks:

  • Attacker spoofs victim's IP address
  • Sends requests to third-party servers
  • Servers respond to victim (reflected traffic)

Reflection Indicators:

  • Incoming traffic from many legitimate servers
  • No corresponding outbound requests
  • UDP responses without matching queries

DDoS General Indicators:

  • Sudden bandwidth consumption spike
  • Service unavailability
  • Slow network performance
  • Connection timeouts
  • IPS/firewall alerts on traffic volume

DNS Attacks

Attacks targeting the Domain Name System.

DNS Attack Types:

DNS Poisoning/Cache Poisoning:

  • Corrupting DNS resolver cache
  • Users directed to malicious IPs
  • Legitimate domain → attacker's server

DNS Spoofing:

  • Responding to queries with false information
  • Man-in-the-middle DNS responses
  • Redirect users to attacker-controlled sites

DNS Hijacking:

  • Compromising DNS server or records
  • Changing authoritative DNS data
  • Broad impact on all queries for domain

DNS Tunneling:

  • Encoding data in DNS queries/responses
  • Bypassing firewalls (DNS usually allowed)
  • Command and control communication

DNS Attack Indicators:

AttackIndicators
PoisoningUsers reaching wrong sites, certificate errors
SpoofingDNS responses from unexpected sources
HijackingNameserver records changed unexpectedly
TunnelingUnusual DNS query patterns, long subdomains

Wireless Attacks

Attacks targeting wireless network infrastructure.

Evil Twin:

  • Fake AP mimicking legitimate network
  • Same SSID, stronger signal
  • Intercepts all victim traffic

Evil Twin Indicators:

  • Duplicate SSIDs detected
  • Users reporting certificate warnings
  • Unexpected AP in wireless survey
  • Connection drops then reconnects

Deauthentication Attack:

  • Forcing clients off legitimate network
  • Captures handshakes for cracking
  • Denial of service to wireless users

Deauth Indicators:

  • Frequent disconnections
  • Deauth frames in wireless capture
  • Users unable to stay connected
  • Handshake capture attempts in logs

Rogue Access Point:

  • Unauthorized AP on network
  • May be malicious or just unauthorized
  • Bypasses network security

Rogue AP Indicators:

  • Unknown APs in wireless surveys
  • Network traffic from unexpected sources
  • Wired connections to unknown devices

On-Path Attacks (Man-in-the-Middle)

Intercepting and potentially modifying traffic between parties.

On-Path Attack Methods:

MethodDescription
ARP spoofingRedirect LAN traffic through attacker
DNS spoofingRedirect by DNS manipulation
SSL strippingDowngrade HTTPS to HTTP
Session hijackingTake over established session

On-Path Attack Indicators:

  • ARP table showing unexpected MAC addresses
  • Certificate warnings
  • HTTP where HTTPS expected
  • Duplicate MAC addresses on network
  • Slow network performance
  • Changed session tokens

SSL Stripping Indicators:

  • Sites loading as HTTP instead of HTTPS
  • Lock icon missing from browser
  • Users reporting insecure warnings
  • Downgrade from secure to insecure

Credential Replay

Capturing and reusing authentication credentials or tokens.

Replay Attack Types:

  • Captured password hashes replayed
  • Stolen session tokens reused
  • Kerberos ticket replay
  • OAuth token theft and replay

Credential Replay Indicators:

  • Same credentials used from different locations
  • Session tokens appearing in unusual contexts
  • Authentication without password entry
  • Impossible login timing (too fast from different locations)

Prevention:

  • Time-stamped authentication
  • One-time tokens
  • Challenge-response protocols
  • Session binding to client characteristics

How CompTIA Tests This

Example Analysis

Scenario: Network monitoring shows massive inbound UDP traffic on port 53 (DNS) from thousands of different IP addresses—all legitimate DNS servers. The organization's internet connection is saturated. No corresponding outbound DNS queries were made to these servers.

Analysis - DNS Amplification/Reflection DDoS:

Indicators Present: • High volume UDP port 53 traffic • Traffic from legitimate DNS servers • No matching outbound requests • Bandwidth saturation

Attack Type: DNS Amplification with Reflection

How It Works: 1. Attacker sends DNS queries with spoofed source IP (victim's IP) 2. Queries sent to many open DNS resolvers 3. DNS servers respond to victim (reflection) 4. Responses larger than queries (amplification ~70x) 5. Victim overwhelmed with traffic

Why DNS Is Used: • UDP allows spoofing (no handshake) • DNS often allowed through firewalls • Amplification factor is significant • Many open resolvers available

Response: 1. Contact ISP for upstream filtering 2. Implement rate limiting on DNS traffic 3. Block specific attacking IPs if identifiable 4. Consider DDoS mitigation service 5. Report to DNS servers being abused

Key insight: Inbound responses without outbound requests, combined with volume, indicates reflection attack with spoofed source IP.

Key Terms to Know

network attack indicatorsDDoSDNS attackswireless attackson-path attackman-in-the-middlecredential replayamplification attack

Common Mistakes to Avoid

Confusing amplification and reflection—amplification increases response size. Reflection uses spoofed IPs to redirect traffic. Attacks often use both.
Assuming all DDoS is volumetric—application layer DDoS (like Slowloris) uses little bandwidth but exhausts resources.
Thinking HTTPS prevents on-path attacks—SSL stripping can downgrade connections. Always watch for certificate warnings.
Ignoring DNS as an attack vector—DNS attacks can redirect users transparently. Monitor DNS query patterns.

Exam Tips

Amplification = Small request, large response (DNS 70x, NTP 500x).
Reflection = Spoofed source IP causes responses sent to victim.
On-path = Man-in-the-middle. Indicators: ARP anomalies, cert warnings.
Evil twin = Fake AP with same SSID. Indicators: duplicate networks, stronger signal.
Credential replay = Reusing captured credentials. Defense: timestamps, one-time tokens.
DNS tunneling = Data hidden in DNS queries. Indicator: long subdomain names.

Memory Trick

"DDWOC" - Network Attack Categories

  • DDoS (volumetric, protocol, application)
  • DNS attacks (poisoning, spoofing, tunneling)
  • Wireless (evil twin, deauth, rogue AP)
  • On-path (MITM, ARP spoofing, SSL strip)
  • Credential replay (token/hash reuse)
  • Amplification vs. Reflection:
  • Amplification = Add volume (bigger response)
  • Reflection = Redirect (spoofed IP bounces traffic)

DDoS Amplification Factors: "NDS" - NTP (500x), DNS (70x), SSDP (30x)

  • On-Path Indicators: "CASC"
  • Certificate warnings
  • ARP table anomalies
  • Slow performance
  • Connection downgrades (HTTPS→HTTP)

Evil Twin Detection: "See TWIN networks? That's suspicious!" Duplicate SSIDs = potential attack

Test Your Knowledge

Q1.An organization receives massive volumes of DNS response traffic from thousands of DNS servers, but made no corresponding DNS queries. What type of attack is this?

Q2.Users report frequent wireless disconnections. Packet capture shows numerous deauthentication frames. What attack is likely occurring?

Q3.A network analyzer detects that the gateway's MAC address in the ARP table has changed to match an unknown device. What type of attack does this indicate?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Network-Based Attack SurfaceApplication Attack Indicators

Ready to test your knowledge?

Practice questions on network attack indicators and other Objective 2.4 concepts.

Start Practice
Physical Attack IndicatorsApplication Attack Indicators