Packet-Level Foundations and Active Network Attacks

John

This post connects protocol fundamentals to practical attack tooling by walking through packet sniffing, ICMP/IP/Ethernet spoofing, and active request-reply interception. All examples are grounded in lab work from a controlled virtual network.

 

Why Packet-Level Visibility Matters

Network security decisions are often made at application level, but many attacks exploit assumptions in lower layers: endpoint trust, source identity, and protocol behavior. If an attacker can observe or inject packets on the same broadcast domain, they can influence communication before application-layer controls even execute.

In this lab sequence, that principle shows up immediately: ICMP requests can be observed in transit, source fields can be forged, and automated reply logic can be abused to impersonate systems.

 

Minimal Protocol Stack Refresher

Layer 2 (Ethernet)

Carries frames between interfaces on a local segment. Trust is weak by default: a host can often emit frames with forged source MACs unless switch controls are configured.

Layer 3 (IP)

Provides addressing and routing. Source IP fields are not cryptographically authenticated, so they can be spoofed in many environments.

Layer 4 / Control (ICMP)

ICMP supports diagnostics (echo request/reply) and control messaging. It is simple and useful for labs, but that same simplicity makes it ideal for demonstrating packet forgery.

Security Implication

If policy depends only on source identity at L2/L3 without validation, spoofed traffic can bypass assumptions.


Figure 1. Passive observation and active packet injection within the same local network segment.

Lab Topology and Threat Model

The environment consists of multiple VMs connected on a shared virtual NAT network. One machine generates traffic, one acts as observer/attacker, and one can represent an additional endpoint depending on the experiment.

Threat model assumptions

  • Attacker has local network visibility (same segment or mirrored traffic path).
  • Attacker can send raw packets.
  • No cryptographic authentication at ICMP or IP source level.
  • Hosts accept and process protocol-valid packets even if source identity is forged.

 

Packet Sniffing with libpcap

The first program (sniffex.c) captures ICMP requests and prints packet details. This is the baseline: before forging traffic, confirm you can observe packet metadata reliably.

Lab execution pattern

# On observer VM
gcc -o sniffex sniffex.c -lpcap
sudo ./sniffex

# On traffic generator VM
ping 192.168.15.4

Security insight

A passive attacker can build host-behavior intelligence quickly: who communicates, when they communicate, and which control messages dominate. Even without payload decryption, timing and metadata are actionable.

 

ICMP/IP/Ethernet Spoofing

The next tools (spoof.c and spoofe.c) create forged requests by constructing packet headers directly. This demonstrates how weak source trust can be when packet crafting is available.

ICMP/IP spoof test

gcc -o spoof spoof.c
sudo ./spoof

# Verify on receiver side
sudo tcpdump -n -i eth14 icmp

Ethernet-level spoof test

gcc -o spoofe spoofe.c
sudo ./spoofe

# Verify L2 details
sudo tcpdump -i eth15 -e icmp

Capturing with -e exposes Ethernet headers and confirms whether forged source MAC addresses are present, which helps separate L2 spoof behavior from L3-only spoof behavior.


Figure 2. ICMP spoofing flow: crafted source identity, forged response path, and victim-side acceptance.

Active Interception: Sniff-and-Spoof Loop

The combined tool (sniffnspoof.c) demonstrates a more realistic attacker behavior: observe incoming echo requests and immediately inject spoofed echo replies. That closes the loop from passive visibility to active control.

# On attacker VM
gcc -o sniffnspoof sniffnspoof.c -lpcap
sudo ./sniffnspoof

# On victim VM
ping 192.168.15.99

Why this matters

  • Response race conditions can let attackers answer before legitimate hosts.
  • Many diagnostic workflows trust first valid-looking replies.
  • This pattern generalizes to other request-response protocols beyond ICMP.

 

Detection and Hardening Strategies

Defenses must be layered. No single control stops all spoofing forms across all environments.

Attack Surface Primary Control Operational Notes
Forged source IP Ingress/Egress filtering (BCP 38 style) Most effective at network boundaries; depends on upstream compliance.
Forged source MAC Switch port security + DHCP snooping + DAI Requires managed switching and correct binding state.
ICMP abuse Rate limiting + ACL policy + anomaly detection Avoid blanket blocking; diagnostics are still operationally useful.
Packet interception visibility Segmentation + encrypted overlays Limits attacker observation scope on flat networks.

Figure 3. Defense mapping for sniffing/spoofing classes observed in the lab.

 

Key Technical Takeaways

  • Packet-level trust is conditional, not guaranteed. Headers are easy to forge in weakly controlled networks.
  • libpcap-based sniffing provides immediate operational intelligence for attackers.
  • ICMP spoofing demonstrates broader identity and authenticity weaknesses at lower layers.
  • Sniff-and-spoof loops convert passive observation into active influence quickly.
  • Effective defense requires coordinated controls at host, switch, and routing boundaries.