CompTIA Network+ (N10-008): Compare and Contrast Common Types of Attacks

1. Introduction: Why Network Professionals Need to Recognize Attacks

If you touch networks, you touch security. That is true whether your title says help desk, network admin, NOC analyst, or security engineer. Network+ expects you to compare and contrast attack types because attacks do not stay in one neat bucket. They can hit users, protocols, wireless networks, applications, identities, and endpoints — basically, just about anything that’s connected and worth protecting.

Honestly, the easiest way I’ve found to keep all this straight is to anchor every attack to the CIA triad.

• Confidentiality: data exposure, credential theft, spyware, sniffing
• Integrity: tampering, spoofing, poisoning, unauthorized changes
• Availability: DoS, DDoS, ransomware, deauthentication, lockouts

And yeah, it’s really worth keeping these terms straight:

• Threat: something that could cause harm
• Vulnerability: a weakness
• Exploit: a method used to abuse that weakness
• Risk: likelihood plus impact
• Attack vector: the path used to reach the target
• Payload: the harmful action after delivery

One more exam tip: some attacks overlap. An evil twin can enable MITM and credential theft. ARP poisoning can be the technique that creates MITM. Phishing can deliver malware. That overlap is normal. Your job is to identify the best label for the scenario and the best control for the symptom described.

2. A Practical Framework for Classifying Attacks

Do not memorize attacks as a flat list. Use a simple decision process:

• What is being targeted? Users, credentials, name resolution, wireless clients, web apps, or service availability?
• What is the clue? Wrong IP, duplicate SSID, many failed logins, encrypted files, certificate warning, heavy inbound traffic?
• What is the likely impact? So what’s really getting hit here — confidentiality, integrity, availability, or, because reality likes to be messy, some mix of all three?
• What control best fits? Then I’d stop and ask, 'Alright, which control actually fits this situation?' Maybe the right fix is MFA, segmentation, DAI, DNSSEC, a WAF, EDR, PMF, or, honestly, in some cases, just plain old rate limiting.

Here’s how I’d handle the exam: start with the most obvious symptom, figure out which attack family it’s pointing to, knock out the look-alike answers, and then pick the mitigation that actually fits the clue.

Common confusion pairs: DoS vs DDoS, phishing vs spear phishing, brute force vs password spraying, rogue AP vs evil twin, MITM vs replay, XSS vs CSRF, directory traversal vs RCE.

Reconnaissance tools note: port scanning, vulnerability scanning, and packet capture are dual-use. On the defender side, we use them for inventory, troubleshooting, baseline checks, and catching exposure early — preferably before it turns into a much bigger mess. Attackers use them for discovery. And packet capture isn’t automatically the same thing as sniffing. Sniffing means intercepting or eavesdropping on traffic, while packet capture can be a perfectly legitimate admin task when you’re troubleshooting.

3. Availability attacks are the ones that try to make a service unavailable — DoS, DDoS, botnets, and amplification all live in that bucket.

DoS is a denial of service from one source or a small number of sources. DDoS is distributed, usually from many systems, often a botnet. If the question says traffic is coming from many geographic regions or many unrelated IPs, think DDoS.

For exam purposes, break DDoS into four useful patterns:

• Volumetric: raw bandwidth exhaustion, often large UDP floods
• Protocol/state exhaustion: consumes connection tables or handshake resources, such as SYN-flood behavior
• Application-layer: HTTP GET/POST floods or repeated expensive requests that pin the app, not necessarily the link
• Reflection/amplification: attacker spoofs the victim’s IP and abuses third-party services to reflect larger responses toward the victim; classic concepts include DNS or NTP amplification

The big clues I’d look for are:

• Bandwidth pinned at the edge: likely volumetric
• Firewall or load balancer session tables filling: likely protocol/state exhaustion
• Normal-looking HTTPS but high web CPU and repeated hits to one expensive page: likely Layer 7
• Lots of unsolicited replies from internet infrastructure the victim never queried: reflection or amplification clue

Botnet precision: a botnet is a group of compromised devices under centralized or decentralized control, including peer-to-peer models. They matter because they let an attacker spread the traffic across a pile of devices, which makes the flood a lot harder to stop. Botnet flooding is primarily an availability attack.

Mitigation: rate limiting, ACLs, resilient architecture, WAF for Layer 7, content distribution and traffic distribution techniques, upstream scrubbing, provider coordination, and traffic baselining. Distinguish this from preventing your own devices from becoming bots, which depends on patching, segmentation, EDR, and secure configuration.

Mini-scenario: A portal is slow only at the web tier. NetFlow shows many sources hitting /login, while the internet circuit is not saturated. That usually smells more like an application-layer DDoS than a straight-up bandwidth flood.

4. Interception attacks are the ones where traffic gets listened to, changed, or stolen while it’s moving around — MITM, replay, eavesdropping, and session hijacking.

CompTIA still uses MITM, though modern documentation often says on-path attack. Either way, the core idea’s the same: the attacker slips in between two endpoints and can watch the traffic, relay it, or even alter it while it’s moving.

MITM/on-path: often enabled by ARP spoofing on a LAN, rogue wireless infrastructure, proxy manipulation, or DNS manipulation. The clues are usually things like certificate warnings, a gateway MAC that suddenly changes, weird proxy settings, altered content, or traffic being sent somewhere it absolutely shouldn’t be. And just to be careful here, certificate warnings are clues, not proof — sometimes the problem is a bad config, not an attack.

Eavesdropping/sniffing: passive observation of traffic. It works especially well on shared wireless networks, and also anywhere people are still using unencrypted protocols like HTTP, Telnet, FTP, or SNMPv2c. On a switched wired LAN, passive sniffing usually won’t get you very far unless the attacker has traffic mirroring, compromised infrastructure, same-host capture, or something like ARP poisoning to make the traffic visible.

Replay: captured valid traffic is resent later. The giveaway is often a reused token, a duplicate request, or an approval that should’ve happened once — and only once — but somehow got replayed. Replay attacks work when a protocol can’t prove a message is new and not just an old copy being reused. That’s why nonces, timestamps, sequence numbers, and challenge-response checks matter so much.

Session hijacking: attacker takes over an authenticated session by stealing or abusing a session ID, cookie, or bearer token. Good clues are things like odd activity under a valid login, the same session appearing in two places, or a user getting kicked out after a token gets reused. Strong mitigations include HTTPS, session ID regeneration after login, short expiration, server-side invalidation, MFA, and cookie flags such as Secure, HttpOnly, and SameSite.

Exam shortcut: in the middle = MITM, listening only = eavesdropping, reusing old valid traffic = replay, stealing active auth state = session hijacking.

5. Spoofing and poisoning are the fun-sounding but very annoying attacks that mess with identity and trust at IP, MAC, ARP, DNS, and Layer 2.

Spoofing means pretending to be a different source or identity. Poisoning means corrupting a mapping or trust relationship that others rely on.

IP spoofing: forged source IPs. It’s useful in blind attacks and reflection or amplification, but there’s a big catch: spoofing a source IP doesn’t magically let the attacker receive the replies unless they control the path or are using a blind technique.

MAC spoofing: changing the MAC address presented on the local network. This can bypass weak MAC-based controls. Clues include duplicate MAC flaps, odd DHCP behavior, or a device appearing on different switch ports or VLAN contexts unexpectedly.

ARP spoofing/poisoning: often used interchangeably. The attacker sends forged ARP information so hosts map the gateway IP to the attacker’s MAC. That can redirect traffic and enable MITM. Key defense: Dynamic ARP Inspection, which depends on DHCP snooping and trusted or untrusted switch ports. If an exam question throws DAI and DHCP snooping together, that’s a pretty loud hint they’re talking about ARP poisoning.

DNS poisoning is broader than one technique. It can involve:

• Resolver cache poisoning: bad records inserted into recursive cache
• Client-side manipulation: altered hosts file, malicious DNS server setting, rogue DHCP, or local malware
• DNS spoofing in transit: forged responses, often assisted by MITM

Clues include a valid domain resolving to the wrong IP, different answers from different resolvers, strange TTL behavior, or certificate mismatches. To troubleshoot, compare the local cache, the configured resolver’s answer, and a known-good resolver or authoritative answer. Also rule out split-horizon DNS and stale cache before declaring an attack.

Related attacks worth knowing: rogue DHCP can hand out malicious DNS settings; DHCP starvation tries to exhaust leases; MAC flooding or CAM table overflow aims to overwhelm switch MAC tables and can increase visibility of traffic; VLAN hopping is a Layer 2 segmentation bypass concept; typosquatting uses lookalike domain names to trick users; pharming redirects users to malicious sites through DNS or host-level manipulation.

6. Social Engineering and Credential Attacks

Phishing is broad and untargeted. Spear phishing is personalized. Whaling targets executives or finance leadership. Vishing is voice-based. Smishing is SMS-based. Watering hole attacks compromise a site the target group is likely to visit. Tailgating, shoulder surfing, and dumpster diving are physical and social attack patterns that bypass technical controls by abusing people and process.

The real defense here is operational discipline: user training, easy reporting, mail filtering, link inspection, callback procedures, payment verification, help desk identity checks, and out-of-band confirmation for sensitive requests. Caller ID, display names, and logos are not identity proof.

Credential attack compare/contrast:

• Brute force: many password guesses against one account or target set
• Dictionary: guesses from likely words or known password lists
• Password spraying: a small set of common passwords tried across many accounts over time to avoid lockout
• Credential stuffing: reused stolen username and password pairs from another breach

Operational clues: one account with many failures suggests brute force or dictionary; one common password attempted across many users suggests spraying; many successful logins with valid credentials from distributed IPs suggests credential stuffing. Online guessing against live services is different from offline cracking of stolen password hashes, where the attacker works against the hash file without triggering live login logs.

MFA fatigue is another real-world clue: repeated push prompts intended to wear down a user. A lot of the time, it shows up together with stolen passwords instead of replacing them.

Privilege escalation is best treated as access abuse, not just credential theft. Vertical escalation means moving from lower privilege to admin. Horizontal escalation means accessing another account or peer-level role. Think sudden group membership changes, use of admin tools from standard-user accounts, or access to resources outside the normal role. Also remember the insider threat: not every attack starts from outside.

Best controls: MFA, conditional access, smart lockout or progressive delay, password managers, monitoring, least privilege, and separation of duties. Straight-up aggressive lockout can actually be abused to cause denial of service, so smart lockout is usually the better choice.

7. Malware: What It Does Matters More Than the Label

For Network+, focus on behavior:

• Virus: attaches to a file or macro-enabled content and replicates when executed
• Worm: self-propagates across systems, often over the network
• Trojan: looks legitimate but hides malicious function; may install a backdoor
• Ransomware: encrypts data or locks systems; now often includes data theft for double extortion
• Spyware/keylogger: covert data collection, with keyloggers specifically capturing keystrokes
• Rootkit: hides malicious activity and persistence, potentially in user mode, kernel, boot, or firmware layers
• Logic bomb: triggers on a condition or schedule
• Botnet malware: enrolls the host into a larger controlled network

Ransomware deserves a little extra attention because, honestly, it shows up in real environments more often than most people want to admit. The usual ways in are phishing, exposed remote access services, unpatched systems, and stolen credentials — nothing glamorous, just the stuff that keeps showing up in real environments. The usual sequence looks something like this: initial access, privilege escalation, lateral movement, finding file shares, going after backups, encryption, a ransom note, and sometimes data theft before the encryption even starts. Your first priorities should be isolating affected hosts, protecting file shares, stopping lateral movement, preserving evidence, confirming which backups are actually clean, and resetting exposed credentials in the right order.

Detection clues: EDR alerts, disabled security tools, unusual outbound command-and-control traffic, mass file rename activity, spikes in SMB access, scheduled task creation, or the same malicious behavior across many hosts. Rootkits can be stubborn enough that offline scanning — or, in some cases, a full rebuild — is the only sane answer. Worms often show rapid spread. Trojans often show deceptive installation followed by unexpected outbound traffic.

8. Wireless Attacks and Wireless Security Architecture

Rogue AP means unauthorized wireless infrastructure. It might be a consumer AP plugged into the office network. Evil twin means a fake AP impersonating a legitimate SSID to trick users into joining. An evil twin often pairs with captive portal deception, credential harvesting, or deauthentication to push users off the real network.

Deauthentication/disassociation attacks abuse management frames to knock clients off Wi‑Fi. This is most associated with legacy or unprotected management frames. Protected Management Frames (PMF, 802.11w) helps mitigate this where supported.

Wireless exam precision:

• WPA2-Personal/WPA3-Personal use a pre-shared key; weak shared passphrases are the problem
• WPA2-Enterprise/WPA3-Enterprise use 802.1X with a RADIUS server for per-user or per-device authentication and are strong when properly configured
• WEP is deprecated and insecure

In an enterprise WLAN, 802.1X/EAP, RADIUS, certificate validation, PMF, WIDS/WIPS, and guest segmentation matter a whole lot. lot more than just picking a strong password. a decent password. RADIUS handles centralized AAA, which means authentication proves who you are, authorization decides what you’re allowed to do, and accounting keeps track of what happened.

Captive portal abuse is best treated as a scenario technique, not the main taxonomy label. It shows up a lot on open or guest networks. Mitigation comes down to user awareness, HTTPS and certificate validation, network segmentation, and not reusing real credentials on guest splash pages.

Troubleshooting clues: duplicate SSIDs and certificate prompts suggest evil twin; unknown BSSID tied to a switch port suggests rogue AP; repeated disconnects could be deauthentication, but could also be RF interference, poor coverage, roaming problems, or AP overload. So don’t jump to conclusions until you’ve checked the controller logs and looked at the RF context.

9. Application attacks are the ones aimed at web apps and services — SQL injection, XSS, CSRF, traversal, and RCE.

SQL injection alters database queries through unsafe input handling. The primary defense is prepared statements/parameterized queries, with input validation and least-privilege database accounts as supporting controls.

XSS injects script into content viewed by other users. High-level variants are reflected, stored, and DOM-based. Clues include strange browser behavior, session theft, or malicious script tied to page content. Defenses: output encoding or context-aware escaping, CSP, input validation, and HttpOnly cookies.

CSRF tricks a logged-in browser into sending an unwanted authenticated request. The browser is already trusted, so the app accepts the action. Defenses: anti-CSRF tokens, SameSite cookies, reauthentication for sensitive actions, and proper request validation.

Directory traversal abuses path handling to reach files outside the intended directory, often through normalized path tricks such as ../ patterns. Think file exposure, configuration leaks, or access to sensitive system files.

RCE means remote code execution. Causes can include vulnerable services, command injection, insecure deserialization, bad file upload handling, or exposed management flaws. RCE is broader than simple input validation failure.

Extra exam awareness: SQLi is one example of injection. You may also see command injection, LDAP injection, or XML-related injection concepts. Buffer overflow is another classic code-execution enabler.

Quick compare: XSS runs code in the victim’s browser context. CSRF abuses trust in the victim’s existing session. Directory traversal reads files. RCE executes code.

10. Recognition, Diagnostics, and First-Response Playbooks

Scenario questions are really diagnosis questions. Match the evidence source to the attack:

• Firewall/NetFlow/sFlow/load balancer: DoS/DDoS, session exhaustion, unusual source distribution
• DNS logs: poisoning, rogue DNS settings, abnormal resolver responses
• DHCP logs/switch bindings: rogue DHCP, DHCP snooping, ARP validation issues
• RADIUS/wireless controller logs: rogue APs, authentication anomalies, repeated disconnects
• Directory service, identity platform, or VPN logs: brute force, password spraying, credential stuffing, impossible travel, MFA fatigue
• Web/WAF logs: SQLi, XSS, CSRF, traversal, RCE attempts
• Endpoint telemetry/EDR: ransomware, spyware, Trojans, rootkits, lateral movement

Compact triage workflow: identify the symptom, identify the target, preserve logs and captures, contain if needed, validate with a second source, then escalate. Do not destroy evidence by wiping or rebooting too early.

Mini-playbooks:

• Suspected DDoS: confirm with NetFlow and edge graphs, check session tables, engage upstream providers and traffic-cleaning services, rate-limit if appropriate, preserve timestamps and telemetry
• Suspected DNS poisoning: compare local cache, resolver, and authoritative answers; inspect hosts file and DHCP or DNS settings; check certificates; flush only after evidence is captured
• Suspected rogue AP/evil twin: identify SSID and BSSID, compare controller inventory, locate the radio source, inspect nearby switch ports, warn users not to join suspicious SSIDs
• Suspected password spraying: look for one or a few passwords across many accounts, enforce MFA or conditional access, tune smart lockout, investigate source IP distribution
• Suspected ransomware: isolate hosts, protect shares, disable compromised accounts if confirmed, preserve forensic data, validate backups before recovery

11. Mitigation and Secure Design Best Practices

Good security is layered. The same control often reduces multiple attack types:

• Segmentation: separate guest, user, server, management, and IoT networks
• Least privilege: reduces damage from stolen credentials and escalation
• MFA and conditional access: key defenses for phishing, spraying, and stuffing
• 802.1X/NAC: stronger access control than MAC filtering alone
• DAI + DHCP snooping: strong LAN defense against ARP abuse
• WAF + secure coding: helps with application attacks, especially when paired with parameterized queries and secure session handling
• WIDS/WIPS + PMF: better wireless protection
• DNSSEC: protects DNS authenticity and integrity, though it does not encrypt queries; encrypted DNS protocols address privacy
• EDR + SIEM: endpoint visibility plus cross-system correlation
• Secure protocol migration: SSH over Telnet, HTTPS over HTTP, SFTP or FTPS over FTP, SNMPv3 over SNMPv1 or SNMPv2c

Also remember tradeoffs. Rate limiting can hurt user experience if tuned badly. Aggressive account lockout can be weaponized into denial-of-service. Blackhole routing can save infrastructure while making the service unreachable. VPNs protect traffic in transit, but they do not prove the endpoint is healthy or stop phishing.

12. Quick Comparison Table for Exam Review

Use this table the way CompTIA writes questions: find the strongest clue, then eliminate the nearest distractor.

13. Final Exam Tips and Most-Tested Confusion Pairs

Here is the fast version to carry into the exam:

• DoS vs DDoS: one source vs many sources
• Phishing vs spear phishing vs whaling: broad vs targeted vs executive target
• Brute force vs dictionary vs spraying vs stuffing: many guesses vs word-list guesses vs few common passwords across many users vs reused stolen pairs
• Rogue AP vs evil twin: unauthorized AP vs fake copy of a real SSID
• MITM vs replay vs session hijacking: in the middle vs reuse of old traffic vs theft of active session state
• XSS vs CSRF: script runs in browser vs browser tricked into sending authenticated request
• Directory traversal vs RCE: file access vs code execution

When answers look close, ask: what clue rules out the distractor? “Many global IPs” rules out simple DoS. “Same password across many accounts” rules out brute force. “Valid domain, wrong IP” points to DNS poisoning, not phishing. “Duplicate SSID plus certificate warning” points to evil twin, not just a rogue AP.

And finally: not every symptom is automatically an attack. Slow apps can be bad code, not DDoS. Wrong DNS can be stale cache or split-horizon design, not poisoning. Repeated Wi‑Fi drops can be interference, not deauthentication. Certificate warnings can be misconfiguration, not MITM. Good exam answers come from matching the strongest evidence, not from guessing based on vibes.