🛡️

Network Threats and Protections

Jun 16, 2025

Overview

This lecture covers common network threats such as rogue DHCP servers, rogue access points, and on-path attacks, along with methods to detect and protect against them.

DHCP Vulnerabilities and Protection

  • DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses and network configuration to devices.
  • DHCP lacks built-in security; any device can respond to DHCP requests.
  • Rogue DHCP servers can assign duplicate or invalid IP addresses, disrupting network communication.
  • DHCP snooping on enterprise switches only allows DHCP responses from authorized servers.
  • Microsoft Active Directory can restrict DHCP server authorization.
  • Removing rogue DHCP servers and renewing network IP addresses restores legitimate network access.

Rogue Access Points and Wireless Threats

  • Rogue access points are unauthorized Wi-Fi devices connected to the network, sometimes installed innocently by users.
  • These can create security risks by enabling unauthorized network access.
  • Devices with wireless sharing features can turn themselves into access points.
  • Network scans and wireless analyzers can help detect unauthorized access points.
  • 802.1X (Network Access Control) requires authentication before network access, preventing unauthorized access points from joining the network.

Wireless Evil Twin and On-Path Attacks

  • A wireless evil twin mimics legitimate access points to trick users into connecting.
  • Evil twins may use similar SSIDs, security settings, or captive portals, and often have higher signal strength.
  • Encrypted traffic (VPN or HTTPS) reduces the risk if you connect to an evil twin.
  • Evil twins enable on-path (man-in-the-middle) attacks, intercepting and possibly altering communications between devices.
  • Other on-path attacks include ARP poisoning, session hijacking, and Wi-Fi eavesdropping.
  • Encrypting all network traffic helps protect against on-path attacks.

Key Terms & Definitions

  • DHCP (Dynamic Host Configuration Protocol) — Protocol that assigns IP addresses and network information to devices automatically.
  • Rogue DHCP Server — Unauthorized server assigning incorrect or duplicate network settings.
  • DHCP Snooping — Security feature that blocks DHCP responses from unauthorized servers.
  • Rogue Access Point — Unauthorized wireless device providing network access.
  • 802.1X / Network Access Control — Authentication method restricting network access to authorized users/devices.
  • Wireless Evil Twin — Malicious access point imitating a legitimate one to intercept traffic.
  • On-Path (Man-in-the-Middle) Attack — Attacker secretly intercepts or changes communications between two parties.
  • ARP Poisoning — On-path attack method that tricks devices about network addresses.

Action Items / Next Steps

  • Regularly scan for rogue DHCP servers and access points.
  • Enable DHCP snooping and 802.1X on network devices.
  • Always use VPN or HTTPS to encrypt network traffic, especially on public or unknown Wi-Fi networks.

Full transcript