Common Network Attacks Decoded: A Comprehensive Technical Guide to MITM, Botnets, DDoS, and DNS Spoofing + Video

Listen to this Post

Featured Image

Introduction:

Network attacks remain one of the biggest threats to organizations, users, and critical infrastructure. Understanding the mechanics of Man-in-the-Middle (MITM) attacks, rootkits, botnets, IP spoofing, DDoS, and DNS spoofing is the first step toward building a robust, layered defense. This article provides a technical deep dive into these attack vectors, offering practical detection and mitigation strategies using both Linux and Windows environments.

Learning Objectives:

  • Understand the technical execution methods of six common network attack types.
  • Learn to detect and mitigate attacks using Linux command-line tools and iptables.
  • Implement proactive security measures, including reverse path filtering and DNSSEC, to prevent IP and DNS spoofing.

1. Man-in-the-Middle (MITM) and ARP Spoofing

What this is: MITM attacks occur when an attacker secretly intercepts and potentially alters the communication between two parties. ARP spoofing is a common technique to achieve this on local networks, where the attacker associates their MAC address with the IP address of another device (e.g., the default gateway). This allows the attacker to capture, sniff, and modify data packets.

Step-by-step tutorial: This lab, designed for educational use in an isolated environment, uses `ettercap` to perform ARP spoofing and capture traffic.

Prerequisites: Three VMs on an isolated network: an Attacker (Kali Linux), a Victim (e.g., Kali Linux), and a Target (e.g., Metasploitable2).

Step 1: Enable IP forwarding on the attacker machine. This allows the attacker to act as a router and forward traffic between the victim and target, preventing a denial of service.

sudo sysctl -w net.ipv4.ip_forward=1

Step 2: Launch the ARP spoofing attack. Use `ettercap` to poison the ARP cache of the victim and the target (gateway). Replace `eth0` with your network interface, and `192.168.1.10` and `192.168.1.1` with the IP addresses of your victim and gateway, respectively.

sudo ettercap -T -M arp:remote /192.168.1.10// /192.168.1.1//

Step 3: Capture and analyze traffic. Use `tcpdump` or `wireshark` to capture packets on the attacker’s machine. For example, to capture HTTP traffic to a file:

sudo tcpdump -i eth0 port 80 -w capture.pcap

Mitigation: Use static ARP entries for critical devices, implement Dynamic ARP Inspection (DAI) on managed switches, and always use encryption (HTTPS, SSH, VPNs) for sensitive communications. Monitor for ARP anomalies using tools like arpwatch.

2. Rootkit Detection and Analysis

What this is: Rootkits are a collection of malicious software tools that enable unauthorized access to a computer while actively hiding their presence from administrators and security software by subverting the operating system. They can be user-mode or kernel-mode, with kernel-mode rootkits being particularly dangerous.

Detection Commands (Linux): For Linux systems, the standard tools are `chkrootkit` and rkhunter. It’s best practice to run both for comprehensive scanning.

 Update package lists and install the tools
sudo apt update && sudo apt install chkrootkit rkhunter -y

Update rkhunter's malware signatures
sudo rkhunter --update

Run a chkrootkit scan (output is verbose)
sudo chkrootkit

Run an rkhunter system scan
sudo rkhunter --check

The rkhunter log file is located at /var/log/rkhunter.log

If a rootkit infection is found, isolate the system from the network immediately and investigate thoroughly. The most reliable removal method is often a full system reinstall from known-good media.

Detection Commands (Windows): On Windows, booting into Safe Mode can prevent the rootkit from activating. Once in Safe Mode, use specialized tools like Kaspersky TDSSKiller or Malwarebytes Anti-Rootkit Beta to scan for and remove the infection. For persistent kernel-level rootkits, consider using the Windows Assessment and Deployment Kit (Windows ADK) to boot from external media and scan the offline system drive.

3. Botnet Identification and Mitigation

What this is: A botnet is a network of compromised computers (bots) controlled remotely by an attacker (bot herder). Botnets are frequently used to launch large-scale DDoS attacks, send spam, and steal data. The Mirai botnet, which emerged in 2016, famously targets IoT devices running Linux.

Detection Commands (Linux): Identifying anomalous network connections is key to spotting botnet activity. The following commands can help reveal suspicious outbound connections or listening ports.

 List all listening ports and established connections with process info
sudo netstat -tulnp

An alternative, faster command (socket statistics)
sudo ss -tulnp

List all network connections and the programs using them
sudo lsof -i -P -n

Look for connections to known malicious IPs or unusual outbound traffic on non-standard ports. Use `iptables` to immediately block a suspected malicious IP address:

 Block an IP address (replace X.X.X.X with the IP)
sudo iptables -A INPUT -s X.X.X.X -j DROP
sudo iptables -A OUTPUT -d X.X.X.X -j DROP

Mitigation: Harden IoT devices by changing default credentials, disabling unnecessary services (like Telnet), and keeping firmware updated. Implement network segmentation to isolate IoT devices from critical systems.

4. DDoS Mitigation with iptables

What this is: A Distributed Denial-of-Service (DDoS) attack aims to make an online service unavailable by overwhelming it with traffic from multiple compromised devices. While no single tool can stop a large-scale DDoS, a properly configured firewall can mitigate small-to-medium attacks and buy time for upstream mitigation.

Step-by-step iptables hardening tutorial: These rules can be applied on a Linux server to mitigate various flood attacks. Always test these rules in a lab environment first.

Step 1: Set default policies to DROP.

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Step 2: Allow loopback and established connections.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Step 3: Rate-limit new connections to prevent SYN floods.

 Limit new TCP connections to 10 per second per source IP
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 10/second --limit-burst 20 -j ACCEPT

Protect SSH (port 22) with a stricter limit
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/minute --limit-burst 5 -j ACCEPT

Step 4: Block common flood attacks.

 Block ping floods (ICMP echo requests)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

Block port scans (PSD module)
sudo iptables -A INPUT -m psd --psd-weight-threshold 21 -j DROP

Step 5: Save the rules.

 For Debian/Ubuntu
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

For RHEL/CentOS
sudo service iptables save

5. Preventing IP Spoofing with Reverse Path Filtering

What this is: IP spoofing involves forging the source IP address in network packets to impersonate a trusted system or conceal the attacker’s identity. The Linux kernel provides a built-in defense mechanism called reverse path filtering (rp_filter). It checks if a received packet’s source IP is reachable via the same interface it arrived on; if not, the packet is dropped, preventing many spoofing-based attacks.

How to enable and verify rp_filter: Reverse path filtering is a lightweight, kernel-level defense that blocks spoofed traffic before it consumes firewall resources.

Step 1: Check the current `rp_filter` status. 0 = disabled, 1 = strict mode, 2 = loose mode (recommended for multi-homed systems).

sysctl net.ipv4.conf.all.rp_filter

Step 2: Enable it temporarily.

sudo sysctl -w net.ipv4.conf.all.rp_filter=1

Step 3: Make the change permanent. Add the following lines to /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

Step 4: Apply the changes.

sudo sysctl -p

6. DNS Spoofing and DNSSEC Hardening

What this is: DNS spoofing (or DNS cache poisoning) manipulates DNS responses to redirect users from legitimate websites to malicious ones, often for phishing or malware distribution. Attackers can use tools like `ettercap` with a custom DNS record file to poison a victim’s DNS cache.

How to defend with DNSSEC: The Domain Name System Security Extensions (DNSSEC) cryptographically signs DNS records, allowing resolvers to verify their authenticity and integrity, thus preventing spoofed responses from being accepted.

Step-by-step DNSSEC validation (using dig): You can test if DNSSEC validation is working on your resolver.

Step 1: Query a signed domain (e.g., sigfail.verteiltesysteme.net) with DNSSEC enabled. This site is designed to have a bad signature.

dig sigfail.verteiltesysteme.net +dnssec

Step 2: Check the response flags. A validating resolver should return a status of `SERVFAIL` for this query because the signature is invalid.

Step 3: Query a correctly signed domain (e.g., dnssec.works).

dig dnssec.works +dnssec

Step 4: Look for the `ad` (Authentic Data) flag in the response. Its presence indicates that the resolver validated the response and it is authentic.

Hardening Actions:

  • Enable DNSSEC validation on your recursive DNS resolvers (like BIND or Unbound).
  • Sign your own zones with DNSSEC if you manage a domain.
  • Keep DNS software updated to protect against known vulnerabilities.

What Undercode Say:

  • Key Takeaway 1: Proactive defense is far more effective than reactive detection. Understanding the underlying protocols like ARP, DNS, and IP is crucial for building defenses that stop attacks at the kernel or network level before they can cause harm.
  • Key Takeaway 2: No single security tool is a silver bullet. A layered security approach, combining application-layer encryption (HTTPS, SSH), network-layer validation (rp_filter, DNSSEC), and endpoint detection (rkhunter, netstat), creates a robust defense-in-depth posture.

Prediction:

The future of network attacks will see a continued rise in AI-driven, polymorphic threats that can adapt in real-time to evade detection. Simultaneously, the proliferation of IoT and 5G will dramatically increase the attack surface, leading to larger and more sophisticated DDoS botnets. Consequently, the industry will shift toward “Zero Trust Network Access” (ZTNA) and AI-powered security orchestration and automated response (SOAR) platforms that can autonomously identify and mitigate novel attack patterns without human intervention.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mohamed Abdelgadr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky