Chapter 1.1 Network Architecture & Attack Surfaces
Module 1: Foundations & Threat Landscape Level: Intermediate to Advanced | Estimated reading time: 45-60 min
Table of Contents
- The OSI & TCP/IP Models A Security Lens
- Network Topology & Architecture Patterns
- Attack Surface Decomposition
- Protocols & Their Inherent Weaknesses
- Mapping the Attack Surface with Tools
- Architecture Diagram
1. The OSI & TCP/IP Models A Security Lens
Most engineers learn the OSI model as an academic abstraction. In security, it becomes a precise vocabulary for locating where an attack occurs, what it affects, and what controls can mitigate it.
OSI Layers with Attack Classes
| Layer | Name | Protocol Examples | Primary Attack Classes |
|---|---|---|---|
| 7 | Application | HTTP, DNS, SMTP, FTP | SQLi, XSS, command injection, protocol abuse |
| 6 | Presentation | TLS, SSL, MIME | SSL stripping, certificate spoofing, encoding attacks |
| 5 | Session | NetBIOS, RPC, SMB | Session hijacking, replay attacks |
| 4 | Transport | TCP, UDP, SCTP | SYN flood, port scanning, TCP session hijacking |
| 3 | Network | IP, ICMP, OSPF, BGP | IP spoofing, ICMP tunneling, BGP hijacking, route injection |
| 2 | Data Link | Ethernet, ARP, 802.1Q | ARP spoofing, MAC flooding, VLAN hopping |
| 1 | Physical | Copper, Fiber, Radio | Tap attacks, jamming, hardware implants |
TCP/IP vs. OSI Mapping
The TCP/IP model (what the internet actually runs) collapses the OSI 7-layer model into 4 layers. Both models are useful TCP/IP for implementation, OSI for precise attack attribution.
OSI Model TCP/IP Model
────────────────────── ──────────────────────
7. Application ┐
6. Presentation ├──────→ 4. Application
5. Session ┘
────────────────────── ──────────────────────
4. Transport ──────→ 3. Transport (TCP/UDP)
────────────────────── ──────────────────────
3. Network ──────→ 2. Internet (IP)
────────────────────── ──────────────────────
2. Data Link ┐
1. Physical ├──────→ 1. Network Access
┘
Why this matters for offense and defense: A packet traverses all layers on the way in and all layers on the way out. An attacker at Layer 2 (ARP spoofing) can intercept traffic destined for Layer 7 (HTTPS) the encryption doesn't help if the routing is compromised.
2. Network Topology & Architecture Patterns
2.1 Classic Perimeter Architecture (Legacy)
The original network security model assumes a hard shell and soft interior "trust everything inside the firewall." This model is considered broken for modern environments but is still widely deployed and still exploited.
Internet
│
[Firewall]
│
[DMZ: Web servers, Mail relay, DNS]
│
[Internal Firewall]
│
[Corporate LAN]
├── Workstations
├── File servers
└── Domain Controllers
Fundamental flaw: Once an attacker is past the perimeter (phishing, VPN credential theft, supply chain), they have near-unrestricted lateral movement in a flat network.
2.2 Segmented / Defense-in-Depth Architecture
Modern hardened networks use segmentation to contain lateral movement. Each zone has explicit trust boundaries.
| Zone | Contents | Trust Level | Controls |
|---|---|---|---|
| Internet-facing DMZ | Web servers, reverse proxies, WAF | Untrusted | Strict ingress/egress filtering |
| Application tier | App servers, APIs | Semi-trusted | East-west micro-segmentation |
| Data tier | Databases, file stores | Restricted | Allowlist connections only |
| Management plane | Bastion hosts, IPAM, monitoring | Privileged | MFA, jump servers, PAM |
| OT / ICS zone | SCADA, PLCs, sensors | Isolated | Air-gap or unidirectional gateway |
| User LAN | Workstations | Low trust | NAC, EDR, VLAN isolation |
2.3 Cloud-Native Architecture
In IaaS/PaaS environments, the attack surface changes fundamentally:
- No physical perimeter the control plane is an API
- Identity becomes the new perimeter over-permissive IAM roles are as dangerous as open firewall ports
- Ephemeral infrastructure assets appear and disappear; traditional asset inventory fails
- Shared responsibility model the cloud provider secures the infrastructure, you secure everything on top
Key attack vectors unique to cloud:
- Metadata service abuse (SSRF →
http://169.254.169.254/latest/meta-data/iam/security-credentials/) - Publicly exposed S3 buckets / Azure Blob / GCS objects
- Over-permissive IAM roles attached to compute instances
- Insecure container registries
- Exposed Kubernetes API server (port 6443)
3. Attack Surface Decomposition
An attack surface is the totality of different points (attack vectors) where an unauthorized user can try to enter or extract data from an environment.
3.1 The Three Surface Categories
Network Attack Surface Everything reachable over a network: open ports, exposed services, routing infrastructure, wireless access points, VPN endpoints, cloud APIs.
Software Attack Surface Every piece of software that processes external input: web applications, APIs, middleware, drivers, OS services, firmware, libraries.
Human Attack Surface People and processes: phishing targets, vishing targets, insider threats, misconfigured access controls granted to humans.
3.2 Attack Surface Enumeration Methodology
Phase 1: Passive Reconnaissance
└── OSINT: WHOIS, Shodan, Censys, Certificate Transparency logs
└── DNS enumeration: subdomains, MX, SPF, DMARC, DKIM records
└── Job postings (reveal tech stack), GitHub leaks, LinkedIn
Phase 2: Active Scanning
└── Host discovery: ICMP, ARP, TCP/UDP probes
└── Port scanning: TCP SYN, UDP, service fingerprinting
└── OS detection: TTL analysis, TCP stack fingerprinting
Phase 3: Service Enumeration
└── Banner grabbing: version info, misconfigurations
└── Web crawling: endpoints, parameters, forms
└── Authentication discovery: login portals, API keys in JS
Phase 4: Vulnerability Mapping
└── CVE correlation against discovered versions
└── Configuration weakness identification
└── Trust relationship mapping (AD, cloud IAM, network routes)
3.3 Attack Surface Metrics
| Metric | Description | Why it Matters |
|---|---|---|
| Attack surface area | Count of exposed services × sensitivity | Bigger = more opportunities for attackers |
| Attack surface reduction | Services disabled vs. total available | Principle of least exposure |
| Exposure window | Time a vulnerable service is reachable | Patch velocity matters |
| Reachability depth | Hops from internet to sensitive asset | Fewer hops = higher risk |
4. Protocols & Their Inherent Weaknesses
Many core internet protocols were designed in an era where network participants were trusted. Their weaknesses are architectural, not implementation bugs they cannot be "patched away," only mitigated by layering controls on top.
4.1 ARP Address Resolution Protocol
Purpose: Resolves IP addresses to MAC addresses on a local network segment.
Weakness: ARP is stateless and unauthenticated. Any host can broadcast an unsolicited ARP reply claiming to own any IP address. There is no verification mechanism.
Attack: ARP Spoofing / ARP Poisoning
Normal flow:
Host A (10.0.0.10) → "Who has 10.0.0.1?" → Gateway responds with its MAC
Poisoned flow:
Attacker sends unsolicited ARP reply: "10.0.0.1 is at AA:BB:CC:DD:EE:FF"
Host A updates ARP cache → all traffic to gateway now flows through attacker
# Attacker uses arpspoof (dsniff suite) to poison ARP cache
# Enable IP forwarding first to avoid dropping victim traffic
echo 1 > /proc/sys/net/ipv4/ip_forward
# Poison victim (10.0.0.10) into thinking attacker is the gateway (10.0.0.1)
arpspoof -i eth0 -t 10.0.0.10 10.0.0.1
# In a second terminal: poison gateway into thinking attacker is the victim
arpspoof -i eth0 -t 10.0.0.1 10.0.0.10
Mitigations:
- Dynamic ARP Inspection (DAI) on managed switches validates ARP packets against a DHCP snooping binding table
- Static ARP entries for critical hosts
- 802.1X port-based authentication
- Encrypted channels (TLS) reduce the impact even when MitM is achieved
4.2 DNS Domain Name System
Purpose: Resolves hostnames to IP addresses using a distributed hierarchical system.
Weakness: Classic DNS (port 53 UDP) has no authentication. Responses can be spoofed, cached, or intercepted. DNS traffic is also cleartext every domain lookup leaks information.
| Attack | Mechanism | Impact |
|---|---|---|
| DNS Cache Poisoning | Inject forged A records into resolver cache | Redirect users to attacker-controlled IP |
| DNS Hijacking | Modify DNS settings on router or host | Full traffic redirection |
| DNS Tunneling | Encode C2 traffic in DNS queries/responses | Covert channel bypassing firewalls |
| NXDOMAIN Attack | Flood resolver with nonexistent domain queries | DoS on resolver |
| DNS Zone Transfer | AXFR request reveals full zone data | Network reconnaissance |
# Check if a DNS server allows zone transfers (misconfiguration)
dig axfr @ns1.target.com target.com
# Query for all DNS record types (reconnaissance)
dig any target.com +noall +answer
# Check DNSSEC deployment
dig +dnssec target.com A
# Detect DNS tunneling traffic (look for anomalously long subdomains)
# Normal: www.google.com (15 chars)
# Tunneled: aGVsbG8gd29ybGQ.c2VjcmV0.attacker.com (encoded payload)
Mitigations:
- DNSSEC cryptographically signs DNS records (prevents cache poisoning)
- DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts queries
- Response Rate Limiting (RRL) throttles suspicious query rates
- Block zone transfers except to authorized secondary nameservers
4.3 ICMP Internet Control Message Protocol
Purpose: Diagnostic and error-reporting protocol. Ping (type 8/0), traceroute, unreachable messages.
Weakness: ICMP is often over-permitted because "ping needs to work." Attackers abuse it for reconnaissance and covert channels.
| ICMP Type | Name | Abuse |
|---|---|---|
| 0 / 8 | Echo Reply / Request | Host discovery, OS fingerprinting via TTL |
| 3 | Destination Unreachable | Network mapping reveals which hosts/ports are filtered |
| 11 | Time Exceeded | Traceroute maps network topology |
| 5 | Redirect | ICMP redirect attack alter routing tables |
# Ping sweep using fping (much faster than sequential ping)
fping -a -g 10.0.0.0/24 2>/dev/null
# OS fingerprinting via TTL in ping response
# Linux: TTL=64, Windows: TTL=128, Cisco IOS: TTL=255
ping -c1 10.0.0.1 | grep ttl
# ICMP tunneling detection: look for large ICMP payloads
# Normal ping payload: 32-56 bytes
# Tunneled: ICMP data field contains encoded traffic, often 1000+ bytes
tcpdump -i eth0 'icmp and greater 100' -nn
# Block ICMP redirect attacks (Linux)
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
4.4 TCP Three-Way Handshake & Its Weaknesses
The TCP handshake creates state on the server before the client proves legitimacy this is by design and is the root cause of SYN flood attacks.
Normal TCP Handshake:
Client ──── SYN ────→ Server (Server allocates half-open connection entry)
Client ←── SYN-ACK ── Server
Client ──── ACK ────→ Server (Connection established, state promoted)
SYN Flood Attack:
Attacker ── SYN (spoofed src IP) ──→ Server (Server allocates entry, waits)
Attacker ── SYN (spoofed src IP) ──→ Server (Another entry allocated)
Attacker ── SYN (spoofed src IP) ──→ Server (Backlog fills up...)
[SYN-ACK goes to spoofed IP, never gets ACK'd]
[Server backlog exhausted legitimate connections refused]
# Simulate SYN flood (test environment only requires root)
hping3 -S --flood -V -p 80 10.0.0.1
# Detect SYN flood: watch for massive half-open connections
ss -ant | grep SYN_RECV | wc -l
# Threshold: >500 SYN_RECV entries usually indicates flood
# Mitigate: enable SYN cookies (Linux) server doesn't allocate state until ACK received
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Check current SYN cookie setting
sysctl net.ipv4.tcp_syncookies
5. Mapping the Attack Surface with Tools
5.1 Nmap The Definitive Scanner
Nmap is the standard for network reconnaissance. Understanding its scan types is essential for both offense (knowing what you can find) and defense (knowing what attackers see).
# Host discovery only no port scan (fast, stealthy)
nmap -sn 192.168.1.0/24
# SYN scan (stealth scan) doesn't complete TCP handshake, less likely to log
# Requires root/admin
sudo nmap -sS -p 1-65535 10.0.0.1
# Service version detection + OS detection + default scripts
sudo nmap -sV -O -sC 10.0.0.1
# Aggressive scan (combines -O -sV -sC --traceroute) very noisy
nmap -A 10.0.0.1
# UDP scan slow but critical; many services run UDP (DNS 53, SNMP 161, TFTP 69)
sudo nmap -sU --top-ports 100 10.0.0.1
# Scan output to all formats (normal, XML, grepable)
nmap -sV 10.0.0.0/24 -oA scan_results
# Firewall evasion: fragment packets (bypass simple packet filters)
nmap -f 10.0.0.1
# Spoof source IP (requires you're on the path to receive responses)
nmap -S spoofed_ip -e eth0 10.0.0.1
# Script scan: run specific NSE script
nmap --script=vuln 10.0.0.1
nmap --script=smb-vuln-ms17-010 10.0.0.1 # EternalBlue check
5.2 Masscan Internet-Scale Scanning
Masscan is purpose-built for speed it can scan the entire IPv4 internet in under 6 minutes. Useful for large internal ranges or understanding global exposure.
# Scan entire /16 range for port 443 at 10,000 packets/sec
masscan 10.0.0.0/16 -p443 --rate=10000
# Scan common ports across a range
masscan 10.0.0.0/8 -p22,80,443,8080,8443 --rate=50000 -oL results.txt
# Exclude specific ranges from scan
masscan 10.0.0.0/8 -p80 --excludefile exclude.txt
5.3 Netcat & Banner Grabbing
Banner grabbing is the act of connecting to a service and reading what it sends back. Banners often reveal software name, version, and OS all useful for CVE correlation.
# Manual banner grab via netcat
nc -nv 10.0.0.1 22 # SSH banner
nc -nv 10.0.0.1 25 # SMTP banner
nc -nv 10.0.0.1 80 # HTTP (send request manually)
# HTTP banner grab
echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc 10.0.0.1 80
# Using curl to get server headers
curl -I http://10.0.0.1
# Grab FTP banner
nc -nv 10.0.0.1 21
# Suppress banner (some services): use -n flag in netcat to disable DNS, reducing detection
5.4 Attack Surface Summary Table Common Exposed Services
| Port | Service | Common Vulnerabilities | Recommended Action |
|---|---|---|---|
| 21 | FTP | Cleartext credentials, anonymous login | Disable; replace with SFTP |
| 22 | SSH | Weak creds, outdated versions (CVE-2023-38408) | Key-only auth, restrict source IPs |
| 23 | Telnet | Cleartext never acceptable | Disable immediately |
| 25 | SMTP | Open relay, user enumeration, STARTTLS downgrade | Authenticated submission only |
| 53 | DNS | Zone transfer, cache poisoning, tunneling | Restrict AXFR, enable DNSSEC |
| 80 | HTTP | Web app vulnerabilities, plaintext | Redirect to HTTPS, WAF |
| 161 | SNMP | Default community strings (public/private) | Disable v1/v2c; use SNMPv3 |
| 389 | LDAP | Null bind, credential exposure, LDAP injection | Require auth, use LDAPS (636) |
| 443 | HTTPS | TLS config issues, cert validation | Enforce TLS 1.2+, HSTS |
| 445 | SMB | EternalBlue (MS17-010), relay attacks | Disable SMBv1, firewall externally |
| 3389 | RDP | BlueKeep (CVE-2019-0708), credential attacks | MFA, NLA, restrict to VPN |
| 5432 | PostgreSQL | Default credentials, remote code execution | Bind to localhost, firewall |
| 6443 | K8s API | Unauthenticated access, RBAC misconfig | Require auth, private network |
| 8080 | HTTP Alt | Same as 80, often staging/dev exposed | Never expose dev servers publicly |
6. Architecture Diagram
The diagram below illustrates a segmented network architecture with labeled attack vectors at each boundary.
Attack Vector Annotations
| # | Vector | Layer | Mitigation |
|---|---|---|---|
| 1 | Port scan / service enumeration | L3-L4 | Firewall rules, port knocking, IDS alert on scan patterns |
| 2 | ARP spoofing (insider / post-pivot) | L2 | DAI, 802.1X, encrypted channels |
| 3 | DNS cache poisoning | L7 (App) | DNSSEC, DoT/DoH, split-horizon DNS |
| 4 | SMTP open relay / header injection | L7 (App) | Authenticated SMTP, SPF/DKIM/DMARC |
| 5 | Lateral movement via AD/Kerberos | L7 (App) | Network segmentation, PAM, Kerberoasting defenses |