Network attack

asked 2020-07-18 13:17:15 +0000

yeoshing gravatar image

updated 2020-07-23 08:17:12 +0000

grahamb gravatar image

Hi, I need help for the following questions;

An attack has been launched on a company’s server. A network trace with the attack data is provided in Network_Traffic.pcap.

Analyse the given network traffic using Wireshark.

  1. How many network attack packets were sent out to the target server? Explain on how to derive your answer.

My answer: By using (tcp.flags.reset == 1)

  1. How many attackers is/are there? ??

  2. Is this attack conducted from the same network as the company’s server? ??

  3. Based on the network traffic given, justify your answers. ??

https://drive.google.com/file/d/16Mj-...

Thanks.

edit retag flag offensive close merge delete

Comments

The first question should be what kind of attack has been launched. Than you can filter the capture to this traffic, count the packets and determine the sources by the endpoint statistics menu.

JasMan gravatar imageJasMan ( 2020-07-18 13:59:51 +0000 )edit

Thank you for the capture file. I'm not totaly sure about my answer (see comment at the bottom). So would be great if someone can verify it.

  1. How many network attack packets were sent out to the target server? Explain on how to derive your answer. We see a lot of SYN packets without any options comming from 192.168.0.80 to 192.168.0.155 for port 80, so it's a SYNflood attack. 192.168.0.155 is the target server. You can count the packets by adding a display filter for packets from 192.168.0.80 to 192.168.0.155 which have the SYNbit set: (ip.src == 192.168.0.80 && ip.dst ==192.168.0.155) && (tcp.flags == 0x002). At the bottom in the right corner you will see the count of displayed packets. I guess the RST packets are ...

(more)
JasMan gravatar imageJasMan ( 2020-07-19 13:18:33 +0000 )edit

Hi JasMan

Thanks for your response and reply.

yeoshing gravatar imageyeoshing ( 2020-07-28 07:08:32 +0000 )edit
add a comment