Understanding TCP/IP Layers and Common Network Attacks: ARP, DoS, DNS

According to the 2020 Chinese Internet security monitoring report, malicious program control servers and DDoS attacks are on the rise, making network attacks a major factor affecting information and business security.

Network attacks exploit vulnerabilities in network systems; the TCP/IP protocol suite was not designed with modern threats in mind, leading to many attack methods. By automatically capturing and decoding data packets, attacks can be quickly detected and traced.

TCP/IP Protocol

The TCP/IP stack is divided into four layers: link, network, transport, and application. The link layer handles transmission over physical media; the network layer uses IP for routing and congestion control; the transport layer provides end‑to‑end communication via TCP and UDP; the application layer includes protocols such as FTP, HTTP, and DNS.

Because each layer has distinct functions and protocols, attacks differ per layer: link‑layer attacks target hardware and routing; network‑layer attacks include IP fragmentation and ARP spoofing; transport‑layer attacks include DoS; application‑layer attacks are numerous, e.g., DNS spoofing.

ARP Attack

ARP resolves IP addresses to MAC addresses and maintains an ARP cache. ARP spoofing (ARP poisoning) forges IP and MAC addresses, flooding the network with fake ARP replies, corrupting target ARP caches, causing network interruption or man‑in‑the‑middle attacks.

Although ARP attacks are low‑cost and limited to Ethernet, they can cause network outages, bandwidth throttling, or credential theft. Defenses include network mirroring on switches, DHCP snooping, IP source guard, and other security measures.

DoS Attack

TCP establishes connections via a three‑handshake (SYN, SYN‑ACK, ACK). DoS attacks aim to make hosts or networks unable to process legitimate requests by flooding with useless traffic, exploiting repeated connection attempts, or abusing protocol flaws to exhaust resources.

Common DoS methods include SYN flood, where attackers spoof source IPs and send many SYN packets, leaving the target with half‑open connections until resources are exhausted. Mitigations involve traffic filtering, SYN timeout reduction, and SYN cookies.

DNS Attack

DNS translates domain names to IP addresses. DNS attacks include domain hijacking, where DNS records are altered to redirect users, and DNS poisoning, where forged responses provide incorrect IPs.

Defending against these attacks involves strong security awareness, firewall hardening, and packet analysis to detect anomalies, using tools that can automatically analyze suspicious packets and generate alerts.