Back to all articles
Network SecurityCybersecurityDDoSPhishingDefense in Depth

Network Security Basics: Common Attacks and How to Defend Against Them

Chris VanceMay 25, 2024

Security is one of those topics where the more you learn, the more you realize how much there is to know. It can feel overwhelming. But the important thing to understand is that the vast majority of attacks — even sophisticated-sounding ones — exploit a relatively small number of fundamental weaknesses. And defending against those weaknesses is largely a matter of following well-understood best practices.

This isn't a guide for security professionals or penetration testers. This is a grounded, honest overview of the attacks that actually happen in the real world, why they work, and what you can do about them. Think of it as building a mental model for network security — not a comprehensive technical manual.

The Attacker's Mindset

Before looking at specific attacks, it helps to understand how attackers generally think. They're not usually looking to specifically target you (unless you're a high-value individual or organization). Most attacks are opportunistic — automated tools scanning the internet for vulnerable systems, looking for low-hanging fruit. The attackers are often more interested in easy wins than in specifically going after one particular target.

This is actually somewhat reassuring. It means that basic, well-implemented security measures — patching software, using strong passwords, enabling MFA — dramatically reduce your attack surface because most automated scanners will move on to easier targets.

Man-in-the-Middle (MitM) Attacks

In a man-in-the-middle attack, an attacker secretly positions themselves between two communicating parties — intercepting, and potentially modifying, the communication without either party knowing.

How it works: In a classic WiFi-based MitM attack, an attacker creates a fake WiFi hotspot with a name similar to a legitimate one ("Coffee_Shop_Free_Wifi" vs "CoffeeShopFreeWifi"). When a victim connects, all their traffic flows through the attacker's device. The attacker can read unencrypted traffic, potentially modify it, and log credentials.

On a wired network, ARP poisoning is a common MitM technique. ARP maps IP addresses to MAC addresses. An attacker can send fake ARP messages telling devices that the attacker's MAC address is associated with the router's IP address. Traffic intended for the router flows to the attacker instead.

Defense:

  • Use HTTPS for all web traffic (the padlock matters)
  • Be skeptical of public WiFi networks — use a VPN on untrusted networks
  • Look for certificate warnings — if a site usually has a valid certificate and suddenly shows a warning, be suspicious
  • On enterprise networks, use dynamic ARP inspection (a switch-level security feature that validates ARP messages)

    • Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

    A DoS attack aims to make a service unavailable by overwhelming it with traffic or exploiting a vulnerability that crashes the service. A DDoS is the same thing but uses many distributed sources.

    How it works: In a volumetric DDoS, attackers (usually controlling a botnet — thousands of compromised computers) all simultaneously send traffic to the target. The target's network connection and servers get overwhelmed. The most massive DDoS attacks can generate hundreds of gigabits per second of traffic — no single server or connection can withstand that volume.

    Protocol attacks (like SYN floods, discussed in the TCP article) exploit weaknesses in protocols rather than just sending huge volumes. Amplification attacks abuse UDP protocols (like DNS or NTP) where a small request generates a large response, sending that large response to the victim's IP.

    Defense:

  • Use a DDoS protection service (Cloudflare, AWS Shield, Akamai, etc.) — these services absorb attacks by having massive bandwidth capacity and sophisticated traffic filtering
  • Configure rate limiting at the network perimeter
  • For SYN floods specifically, enable SYN cookies on servers
  • Work with your ISP — they can often filter attack traffic upstream

    • Port Scanning and Reconnaissance

    Attackers don't usually attack blindly. They first study their target — a process called reconnaissance. Port scanning is a key reconnaissance technique.

    How it works: Tools like Nmap send packets to a target's IP address on many different ports and analyze the responses to determine which ports are open (and therefore which services are running). An open SSH port (22) tells an attacker there's a remote access service. An open database port (3306 for MySQL) that shouldn't be public-facing is a red flag and an attractive target.

    Defense:

  • Close all ports that don't need to be publicly accessible. Firewalls should default-deny all inbound traffic and only allow specific necessary services.
  • Change default port numbers for sensitive services (run SSH on port 2222 instead of 22, for example) — this is "security through obscurity" and not sufficient on its own, but it does reduce automated scanning hits
  • Use port knocking for very sensitive services — require a secret sequence of connection attempts before a port opens
  • Monitor for port scanning with intrusion detection systems

    • Password Attacks

    Many network services require authentication. Attackers know this and target authentication systems.

    Brute force: Try every possible password combination. Computationally expensive for long passwords, but highly effective against short or simple ones. Modern brute-force rigs using GPUs can try billions of password attempts per second against offline hash databases.

    Dictionary attacks: Use lists of common passwords and variations. Most people use predictable passwords, and dictionary attacks are devastatingly effective against them.

    Credential stuffing: Use lists of username/password pairs leaked from other data breaches. Because people reuse passwords across sites, credentials from a breach at one site work on others.

    Defense:

  • Use strong, unique passwords for every service (a password manager makes this feasible)
  • Enable Multi-Factor Authentication (MFA) — even if an attacker has your password, they need the second factor
  • Implement account lockout policies (lock an account after N failed attempts)
  • Use CAPTCHA on login pages to slow automated attacks
  • Monitor authentication logs for unusual patterns (many failed attempts, logins from unusual locations)

    • SQL Injection

    This is one of the most common application-level attacks and it exploits poor coding practices rather than network-level weaknesses.

    How it works: Many web applications take user input (like a login form) and use it to construct a database query. Poorly written code doesn't properly sanitize this input. An attacker enters SQL code instead of a normal username, and the database executes it.

    Classic example: A login form that checks `SELECT * FROM users WHERE username='[input]' AND password='[input]'`. An attacker enters the username `' OR '1'='1` which turns the query into `SELECT * FROM users WHERE username='' OR '1'='1' AND password='...'`. Since `'1'='1'` is always true, the query returns all users, and the attacker is logged in.

    SQL injection can extract entire databases, modify data, delete records, and sometimes even execute commands on the server's operating system.

    Defense:

  • Use **parameterized queries** (prepared statements) — the correct way to build database queries that prevents SQL injection entirely
  • Input validation — validate and sanitize all user input
  • Principle of least privilege — database accounts used by applications should have only the permissions they need, nothing more
  • Web Application Firewalls (WAFs) can detect and block common SQL injection patterns

    • Cross-Site Scripting (XSS)

    Another application-level attack that's useful to understand.

    How it works: XSS occurs when an attacker injects malicious JavaScript into a web page that's then executed by other users' browsers. If a site allows user-submitted content (comments, profiles) and displays it without sanitization, an attacker can submit content containing `<script>malicious code here</script>`. When other users view the page, their browsers execute that code — which can steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim.

    Defense:

  • Output encoding — when displaying user-submitted content, encode characters like `<` and `>` so they're displayed as text rather than interpreted as HTML
  • Content Security Policy (CSP) headers — tell browsers which scripts are allowed to run, blocking injected scripts
  • Input validation and sanitization

    • Phishing and Social Engineering

    Technically not a "network" attack, but arguably the most effective attack in practice because it bypasses all technical controls by targeting the human.

    How it works: An attacker sends an email, text message, or other communication that appears to come from a trusted source (your bank, your company's IT department, a government agency) and tricks the recipient into revealing credentials, clicking a malicious link, or installing malware.

    No firewall or intrusion detection system catches a user who's been fooled into willingly handing over their password on a fake bank website. The technical controls are all bypassed.

    Defense:

  • Security awareness training — teach users to recognize phishing attempts
  • Email authentication (SPF, DKIM, DMARC) — these DNS-based email security standards make it harder to spoof sender addresses
  • URL filtering — web proxies that block known malicious sites
  • MFA — even if credentials are phished, MFA prevents account takeover in most cases
  • Verify requests through a different channel — if an "IT department" email asks for your password, call IT to verify

    • Defense in Depth: The Security Philosophy

    The most important concept in network security is defense in depth — using multiple layers of security controls so that if any one layer fails, others remain.

    A good security posture doesn't rely on a single firewall. It has firewalls, plus endpoint security, plus MFA, plus network monitoring, plus user training, plus incident response plans. Each layer assumes other layers might fail and provides an additional line of defense.

    No security is perfect. Breaches happen to even well-defended organizations. The goal is to make attacks hard enough and expensive enough that opportunistic attackers move on, and sophisticated targeted attacks take long enough to detect and respond to.

    The Most Important Practical Steps

    If you're an individual:

  • Use a password manager and unique passwords for everything
  • Enable MFA on every account that offers it, especially email and financial accounts
  • Keep software updated (most successful attacks exploit known, patched vulnerabilities)
  • Be skeptical of unsolicited communications asking for information or action

    • If you manage a network:

  • Default-deny firewall posture
  • Regular patch management
  • Network monitoring and alerting
  • Principle of least privilege
  • User security training
  • Incident response plan

    • Security isn't a product you buy or a state you achieve. It's an ongoing process. But the fundamentals — patching, strong authentication, encryption in transit, least privilege, monitoring — get you most of the way there and protect against the vast majority of attacks that happen in the real world.