Network Attacks & Detection
DoS, Spoofing, MITM - From Attack Understanding to SOC Detection
WRAP Module - Extends Threats Training
Network-Layer Attacks: SOC Perspective
While the Threats Training in Shield House teaches you about malware and social engineering, this module focuses specifically on network protocol attacks that SOC analysts must detect through traffic analysis.
DoS/DDoS
Denial of Service
Spoofing
IP/MAC/DNS
MITM
Man-in-the-Middle
Hijacking
Session/Route
Prerequisite: Threats & Malware Training
This module extends the threats training with network-specific detection. For malware analysis, see the Shield House module.
Threats & Malware Training
Attack vs. Detection: The SOC View
| Attack | What Attacker Does | What SOC Sees |
|---|---|---|
| SYN Flood | Sends thousands of SYN packets, never completes handshake | High SYN count, low ESTABLISHED ratio, firewall drops spike |
| ARP Spoofing | Sends fake ARP replies to associate their MAC with gateway IP | Multiple MACs claiming same IP, ARP table changes, duplicate IP alerts |
| DNS Poisoning | Injects false DNS responses to redirect traffic | Unusual DNS responses, TTL anomalies, DNS to non-standard IPs |
| MITM | Intercepts and potentially modifies traffic between two parties | Certificate warnings, ARP anomalies, latency increases |
Network Attack Catalog
Detailed breakdown of each attack type with SOC detection indicators.
SYN Flood Attack
T1499.001Attacker sends massive SYN packets to exhaust server's connection table. Server allocates resources waiting for ACK that never comes.
SOC Detection
- Monitor
netstat -an | grep SYN_RECV - Alert on >500 half-open connections
- Check firewall for SYN packet drops
- Enable SYN cookies on server
UDP Flood Attack
T1499.001Overwhelms target with UDP packets. Server wastes resources responding with ICMP "Destination Unreachable" for closed ports.
SOC Detection
- NetFlow: High UDP packet count
- ICMP unreachable rate increase
- Bandwidth utilization spike
- Packets to random high ports
ARP Spoofing
T1557.002Attacker sends falsified ARP messages to link their MAC address with victim's IP, intercepting traffic meant for the gateway.
SOC Detection
- Duplicate IP detection on switches
- ARP table change alerts
- Static ARP entries for critical hosts
- DAI (Dynamic ARP Inspection)
DNS Cache Poisoning
T1557.001Attacker corrupts DNS cache with false records, redirecting users to malicious sites when they query legitimate domains.
SOC Detection
- Monitor DNS responses for known-bad IPs
- DNSSEC validation failures
- Unusual DNS TTL values
- DNS queries to non-corporate resolvers
Man-in-the-Middle
T1557Attacker secretly relays and potentially alters communication between two parties who believe they're directly communicating.
SOC Detection
- Certificate pinning violations
- Unexpected certificate changes
- HSTS bypass attempts
- Increased network latency patterns
IP Spoofing
T1090Attacker forges source IP address in packets to hide identity, bypass filters, or launch reflection attacks.
SOC Detection
- Ingress/egress filtering (BCP38)
- Packets from internal IPs on external interface
- Impossible source addresses (RFC 1918 from WAN)
- Reverse path forwarding (RPF)
Attack Simulation Lab
Visualize how network attacks work and what indicators they generate.
Network Attack Simulator
Detection Signatures
Snort/Suricata rules for detecting these attacks:
# SYN Flood Detection alert tcp any any -> $HOME_NET any (flags:S; threshold:type threshold, track by_src, count 100, seconds 10; msg:"Possible SYN Flood"; sid:1000001;) # ARP Spoofing Detection alert arp any any -> any any (msg:"ARP spoof attempt"; arp.opcode:2; threshold:type threshold, track by_src, count 5, seconds 1; sid:1000002;) # DNS Amplification alert udp any 53 -> $HOME_NET any (msg:"Large DNS Response - Possible Amplification"; dsize:>512; sid:1000003;)
Network Attacks Assessment
Test your ability to identify and detect network-layer attacks.