Is ARP poisoning still relevant in 2026?

On managed corporate LANs with DAI and 802.1X — rare. On guest Wi-Fi, untrusted office networks, and most SMB environments — extremely common because the defences require switch capabilities most networks do not enable. Pentesters reach for it on day one of an internal engagement.

Why is DNSSEC adoption so low?

Operational complexity. Key rollovers go wrong; misconfigurations create days-long outages (.gov took down its zone twice). The benefit is invisible (preventing a Kaminsky-style attack you would never detect anyway) so the operations team has no incentive. DoT/DoH solved most of the practical attack surface for users without DNSSEC.

Should we block DoH on our corporate network?

It depends. If you rely on DNS-based filtering (Umbrella, Quad9), you must either block DoH at the perimeter (Cloudflare, Google's DoH endpoints are well-known) or push browser policy to use your enterprise DoH endpoint. The right answer in 2026 is the latter; outright blocking is increasingly arms-race because every messaging app embeds its own resolver.

Why does ICMP keep showing up in pentest reports?

Because it is a covert channel, a fingerprinting tool, and an information leak all in one. Pingsweeps still find live hosts; ICMP type 13/14 leak system uptime; ICMP fragments leak OS family; tunnelled C2 over ICMP is invisible to many port-based firewalls. Defenders should not block ICMP, but should profile expected ICMP and alert on outliers.

How does HTTP/2 change my visibility?

A lot. Single TCP connection multiplexes many requests; headers are HPACK-compressed; priority and dependencies add complexity. Tools that grep for "GET /admin" in raw bytes break. The good news: Wireshark, Zeek, and modern WAFs all dissect HTTP/2 properly — but middle-boxes that did regex matching on HTTP/1.1 must be upgraded or replaced.

Should I block legacy protocols entirely?

Audit them, then decide. FTP, plain SMTP, plain LDAP usually have authenticated/encrypted alternatives (SFTP, SMTP+STARTTLS, LDAPS). Migrate; once nothing legitimate uses the legacy protocol, block at the perimeter. Blocking before the migration breaks production.

How do I monitor for unauthorised protocols?

Zeek's protocol detection logs (conn.log + protocol-specific logs) reveal what is actually running. Periodically diff against your "approved protocols" list; investigate every newcomer. This is one of the highest-leverage hunting queries available.

Network Protocols Deep Dive — Networking Module 3

Read as

Last updated: May 1, 2026

Protocols are contracts between machines. Most of the protocols the Internet runs on were designed in the 1980s assuming everyone on the wire was friendly. They are not. This module dissects the seven protocols you must know cold — ARP, DHCP, ICMP, DNS, NTP, HTTP, TLS — and the trust assumption each one makes that attackers exploit. By the end you will be able to look at any protocol exchange and predict where the abuse surface is.

A “protocol” is just an agreed format for messages between two machines. The trouble is that most of the protocols still keeping the Internet running were designed in an era of trust — the campus LAN at MIT in 1982, the early ARPANET, where everyone knew everyone. None of the original specs imagined adversaries. ARP, DHCP, ICMP, DNS, NTP — every one of them has been weaponised, and yet they still run unauthenticated on most networks because the alternative is too disruptive. This module walks through each protocol the way an attacker reads it: what does it assume, where does the trust break, and what does a defender do?

ARP — the protocol that has no security at all

Address Resolution Protocol maps Layer 3 (IP) to Layer 2 (MAC) on a LAN. Host A wants to send to 192.168.1.1; A broadcasts an ARP request “who has 192.168.1.1?”; the holder replies “I do, my MAC is aa:bb:cc:dd:ee:ff.” That reply is unauthenticated, untimestamped, and cached for minutes. ARP poisoning works by simply replying first or replying repeatedly, claiming you are the gateway. The victim now sends all off-LAN traffic to you. Every Layer 2 MITM tool — Ettercap, bettercap, Cain and Abel from the old days — is just an ARP poisoner with a TLS-stripping front-end.

DefencesDynamic ARP Inspection (DAI) on managed switches, Static ARP entries on critical hosts, and 802.1X with MACsec for high-trust environments. Most enterprises run none of these and rely on “the LAN is trusted” — a 1990s assumption that BYOD and IoT devices have made indefensible.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume

ARP — the protocol that has no security at all

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Advanced Routing and VLANs — Static, OSPF, EIGRP, and Where Trust Boundaries Actually Live