DEV Community

TiltedLunar123
TiltedLunar123

Posted on

Where is the attacker standing? The question that sorts on-path and DNS attacks on Security+

Most people study the Security+ interception attacks as a vocabulary list. ARP poisoning. On-path. Evil twin. DNS poisoning. Domain hijacking. Replay. Six flashcards, six definitions. Then the exam hands you a scenario with none of those words in it and you freeze.

There is a faster way in. Almost every one of these attacks breaks the same quiet assumption you make every time you open a browser: that you are talking straight to the site you meant to reach, over a line only the two of you can read. Attackers break that assumption in two places. They either get in the middle of the conversation, or they change where the conversation goes. Sort the attack into one of those two buckets and the mitigation almost writes itself.

Bucket one: get in the middle

An on-path attack puts the attacker between two parties who both think they are talking directly. The exam retired the old "man-in-the-middle" name, but the idea is the same. The attacker relays the traffic, so nothing looks broken, and can read or quietly alter what passes through.

The real question the exam cares about is a different one. How did they get in the middle? On a local network the usual answer is ARP poisoning. ARP has no authentication built in, so an attacker can send spoofed replies claiming the gateway's IP belongs to their MAC address. Your machine believes it and starts handing every outbound packet to the attacker, who forwards it on. You never see a thing.

On wireless the usual answer is an evil twin: a rogue access point broadcasting the same network name as the real one, so your phone connects to it and every request flows through the attacker's hardware.

The fix is the same in both cases. You cannot always stop someone from sitting in the path, so you make the path useless to them. Encryption turns the relayed traffic into noise. Certificate validation means a substituted server cannot prove it is your bank. On the LAN, dynamic ARP inspection throws out the forged replies before they land. Assume the wire is hostile and protect the data riding on it.

Bucket two: change where you go

The second family never touches your traffic in transit. It poisons the map instead, so you walk to the attacker's address believing it is the real one.

DNS poisoning, also called cache poisoning, corrupts the answer to "what IP is this hostname?" Slip a bad record into a resolver's cache and every user it serves gets sent to the wrong server while typing the correct address. Nothing on their end looks off.

Domain hijacking works one level up. Instead of poisoning a single lookup, the attacker takes over the domain's registrar account, often through a phished login or a reused password, and repoints the whole domain wherever they want. This is why a registrar account deserves MFA and a registrar lock as much as any production server does.

Typosquatting is the low-tech cousin. Register a look-alike domain, the classic single-letter swap or a .co where people expect .com, then wait for fat fingers.

The fix here is about trusting the map. DNSSEC signs DNS records so a resolver can spot a forged answer. Hardened, MFA-protected registrar accounts keep the domain itself out of an attacker's hands. And the human control never expires: look at where a link actually goes before you trust it.

The one that is really about time

Replay does not fit either bucket, and the exam likes it for exactly that reason. The attacker captures something valid, say an authentication token or a session cookie, then simply sends it again later. Nothing is forged. It was real the first time.

Which is why the fix is a timing problem, not a secrecy problem. Give each exchange a one-time value. A nonce. A timestamp. A session token that dies the moment it is used. The captured copy is stale, so the replay bounces off.

The exam-day decoder

The stem will describe a symptom and hide the term. Read for where the attacker is standing.

Traffic on the LAN routing through an unexpected host? On-path, and ARP poisoning is how it got there. Users typing the right URL and landing on a convincing fake? A redirection attack, either DNS poisoning or a hijacked domain depending on whether one resolver moved or the whole domain did. Captured credentials that worked on a second submission with nothing decrypted? Replay.

Then say which assumption broke. In the middle means protect the data, so you encrypt it and validate the certificate. Wrong destination means protect the map, so you sign records with DNSSEC and lock the registrar behind MFA. Reused means kill the reuse with a one-time token.

I built this same where-is-the-attacker drill into the practice questions at secplusmastery.com, because the scenarios are where these blur together, not the definitions. If you want to see which attack families you actually mix up under exam wording, the free diagnostic at secplusmastery.com/diagnostic is a fast read on where you stand.

Study the scenario, name the place the attacker is standing, and these stop being six flashcards and start being two questions.

Top comments (0)