Network and Physical Attacks
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
Whether constructed of steel tumblers or cryptographic algorithms, an access control system is fundamentally a boundary where a system must decide whether to grant trust. If we examine how these boundaries fail in the real world, we see that attackers rarely play by the rules the system's designer imagined. They do not merely attempt to guess the correct mathematical key; they might smash the mechanism holding the lock, perfectly mimic the signal of an authorized user from a distance, or simply flood the hallway with so much noise that legitimate users cannot reach the door at all. For the network administrator or security professional, understanding these attacks requires zooming out from the idealized protocols and looking at the raw, physical reality of how devices communicate, fail, and authenticate.
To defend an infrastructure, we must understand how attackers manipulate the physical environment, exhaust network resources, subvert the internet’s routing maps, and echo our own credentials back at us.
Before a packet ever reaches a router, your network relies on the physical integrity of your facilities. We often spend millions on firewalls and intrusion prevention systems, only to leave the physical access points vulnerable to highly tangible exploits.
The Brute Force Reality
In the digital realm, we think of brute force as a computationally intensive password-guessing game. In the physical realm, it is much more literal. Physical brute force attacks involve using destructive force to bypass physical access controls. This might mean using a crowbar on a server room door or drilling out the core of a server rack lock. No cryptographic algorithm can withstand a severed cable or a stolen hard drive.
Even when destructive force isn't used, physical access control mechanisms can be mathematically exhausted. Consider the electronic lock on your data center. A physical brute force attack on an electronic keypad involves testing all possible numerical combinations to gain unauthorized entry. If a keypad has four digits and no lockout mechanism after failed attempts, an attacker standing at the door simply acts as a slow, mechanical script, systematically testing from 0000 to 9999 until the door clicks open.

The Invisible Pickpocket: RFID Cloning
Most modern enterprises use radio frequency identification (RFID) badges rather than keys or keypads. When an employee taps their badge to a reader, they are transmitting an identifier. But radio waves do not stop at the plastic casing of a card reader—they bleed into the physical environment.
If a system uses unencrypted legacy RFID technology, it is highly susceptible to cloning. RFID cloning involves capturing the radio frequency signal from a legitimate access badge and copying the badge data to a blank card.
The Mechanics of the Skim: Attackers use concealed RFID readers to surreptitiously capture access badge signals from targeted employees in public spaces. Imagine an employee sitting at a coffee shop next to your office building. An attacker sits at the adjacent table with a concealed reader in a backpack. An RFID skimmer can read an unencrypted access card from a distance of up to three feet. The employee never knows their badge just "shouted" its ID to a malicious device.
To stop this, we must shift the paradigm of how the badge proves its identity. Encrypted smart cards prevent RFID cloning by requiring dynamic cryptographic handshakes instead of transmitting static identifiers. Rather than the card continually shouting a static string of numbers (which a cloner can simply record and parrot back), the door reader issues a unique mathematical challenge. The card processes this challenge using a secret internal key and returns a unique answer. Because the answer changes every single time, a cloned recording of yesterday's handshake is completely useless today.

Moving from the physical layer to the network layer, we encounter a different philosophy of attack. Sometimes, an attacker doesn't want to steal your data; they simply want to stop you from doing business.
A Denial of Service (DoS) attack attempts to make a machine or network resource unavailable to legitimate users. When an attacker realizes that their single computer cannot generate enough traffic to take down an enterprise firewall, they distribute the workload. A Distributed Denial of Service (DDoS) attack uses multiple compromised devices to overwhelm a single target system with excessive network traffic.
The Mirai botnet historically launched massive Distributed Denial of Service attacks by compromising millions of Internet of Things (IoT) devices. By infecting poorly secured webcams, baby monitors, and home routers, attackers built an army of millions of devices, turning mundane household electronics into a synchronized cyber weapon.

Exhausting the Network: Volumetric and Protocol Attacks
DDoS attacks generally fall into different categories based on what resource they are trying to exhaust.
- Bandwidth Exhaustion: Volumetric Distributed Denial of Service attacks aim to completely consume all available network bandwidth of a target organization. If your corporate internet pipe can handle 10 Gigabits per second, the attacker simply sends 20 Gigabits per second of junk data. The internet service provider's circuits saturate, and legitimate traffic is dropped before it ever reaches your firewall.
- State Exhaustion: Other attacks target the processing memory of your networking equipment. A SYN flood is a network layer attack that exhausts server resources by rapidly initiating incomplete Transmission Control Protocol (TCP) connections.
Analogy of a SYN Flood: Imagine a restaurant where customers call in to reserve a table. A customer calls (sending a
SYNpacket), and the host writes their name in the ledger and reserves a table (the server replies with aSYN-ACKand holds memory open). In a SYN flood, the attacker makes thousands of calls per second but hangs up before confirming. The host fills the entire ledger with half-open reservations, leaving no tables available for legitimate, paying customers.

Weaponizing Trust: Amplification Attacks
Why generate your own attack traffic when you can trick legitimate internet infrastructure into doing it for you?
An amplification attack exploits vulnerable third-party servers to multiply the size of the malicious network traffic sent to a victim. The attacker sends a small request to a vulnerable server, but spoofs (fakes) their return IP address so it looks like the request came from the victim. The server then sends a massive reply to the victim.
The scale of these attacks can be staggering. Attackers historically exploited the Memcached protocol to achieve a Distributed Denial of Service amplification factor of over 50,000 times. An attacker with just 1 Megabit of bandwidth could generate 50 Gigabits of crushing attack traffic, effectively weaponizing the internet's own servers against the target.
To direct traffic on a network, computers rely on the Domain Name System (DNS) to translate human-readable names (like bank.com) into IP addresses. If an attacker can manipulate this translation, they control reality for the user.
DNS spoofing involves maliciously altering Domain Name System records to redirect users from a legitimate website to an attacker-controlled website. The user types the correct URL, their browser shows a green padlock, but they are secretly interacting with a malicious server designed to steal their credentials.

How does the attacker alter these records? There are two primary methods, operating at different levels of the infrastructure:
| Attack Type | Mechanism of Action | Scope of Impact |
|---|---|---|
| DNS Cache Poisoning | DNS cache poisoning introduces corrupt domain name resolution data into the cache of a Domain Name System resolver. An attacker tricks a local DNS server (like your ISP's resolver) into saving a fake IP address. | Affects only the users relying on that specific poisoned resolver until the cache expires. |
| Domain Hijacking | Domain hijacking occurs when an attacker gains unauthorized administrative control over a target domain name registration account. The attacker logs into the registrar (e.g., GoDaddy, Route53) and changes the official authoritative records. | Global impact. The entire internet is handed the attacker's fake routing instructions. |
DNS is not only a target; it can also be a weapon. Returning to the concept of amplification, DNS amplification is a Distributed Denial of Service technique exploiting open DNS resolvers to send oversized response packets to a spoofed victim IP address. Because a small DNS query (e.g., "Give me all cryptographic records for this domain") can result in a massive response payload, open DNS servers are a favorite tool for generating volumetric DDoS attacks.
Finally, we must address how attackers move laterally once they are inside the environment. Just as a physical attacker might record and clone an RFID badge, a network attacker can record and clone your digital identity.
A credential replay attack involves intercepting valid authentication data over a network and reusing the data to gain unauthorized access.
To execute this, an attacker first needs visibility into the traffic. Network sniffers capture unencrypted credentials during network transmission to facilitate credential replay attacks. If an administrator authenticates over Telnet or legacy HTTP, their credentials traverse the wire in plaintext, easily captured by tools like Wireshark.
But what if the network relies on hashed passwords rather than plaintext? Even here, the replay attack is a potent threat.
Pass-the-Hash
In certain older enterprise protocols, the hashed version of a password is used as the cryptographic key itself. If the attacker intercepts the hash, they do not need to crack it to find the original password; they can simply present the hash to the server.
Pass-the-hash is a credential replay attack allowing an attacker to authenticate using a captured password hash instead of the plaintext password. Because of legacy architectural decisions, Pass-the-hash credential replay attacks specifically target Microsoft Windows NT LAN Manager (NTLM) authentication environments. In NTLM, the hash is functionally equivalent to the password. If you hold the hash, you hold the keys to the kingdom.

Defending the Timeline: Nonces and Kerberos
To defeat credential replay attacks, network architects must design systems where a captured authentication message becomes useless the moment it is intercepted. We do this by embedding time and uniqueness into the cryptography.
First, we use nonces. Cryptographic nonces prevent credential replay attacks by ensuring each authentication request incorporates a mathematically unique, single-use value. (Nonce stands for "Number Used Once"). If an attacker captures a login request and replays it, the server rejects it because the nonce inside the message has already been "spent."
Second, modern Windows domains replaced vulnerable NTLM with Kerberos, a protocol built entirely around chronological freshness. The Kerberos network authentication protocol uses strict timestamping to validate the freshness of authentication tickets. When a user requests access to a service, their cryptographic ticket includes the exact current time.
If an attacker captures a Kerberos ticket and attempts to replay it hours later, the server will reject it because the timestamp is stale. For this to work, however, every clock on the network must agree on what time it is. Therefore, Kerberos network authentication enforces a maximum five-minute time skew between client and server to successfully prevent credential replay attacks. If an IT administrator allows a domain controller's clock to drift by more than five minutes, legitimate logins will fail, but more importantly, the narrow window that protects the network from replay attacks will collapse.

By understanding these vectors—from the brute force destruction of a door lock to the mathematical elegance of a Kerberos timestamp—you build a holistic view of infrastructure security. The adversary is constantly looking for the point where a signal, a session, or a secret can be exploited. Your job is to ensure that trust is never granted without absolute, unforgeable proof of identity and intent.