Network_Forenic_Training_for_beginner.pdf
TngPhanThanh8
5 views
53 slides
Feb 28, 2025
Slide 1 of 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
About This Presentation
Training network for beginner, improve network knowledge and skill.
Slide Content
NetworkForensic
October 6
th
2016
Global Coordination Division
JPCERT/CC
October 6
th
2016
Global Coordination Division
JPCERT/CC
Copyright©2016 JPCERT/CC All rights reserved.
Agenda
1.Basics of Network Security Analysis
—What is “Network Security Analysis”?
—How is it useful for your security activities?
—Network Security Analysis-Packet Based (1) summary
2.Wireshark
—About Wireshark
—Introduction to Wireshark
—Sample filters
—Analysis environment for the exercises
—Network Security Analysis -Packet Based (2) How to
3.Exercises
—Basic : exercise1 –exercise6
—Advanced : exercise7 –exercise12 + α
2
Agenda
1.Basics of Network Security Analysis
—What is “Network Security Analysis”?
—How is it useful for your security activities?
—Network Security Analysis-Packet Based (1) summary
2.Wireshark
—About Wireshark
—Introduction to Wireshark
—Sample filters
—Analysis environment for the exercises
—Network Security Analysis -Packet Based (2) How to
3.Exercises
—Basic : exercise1 –exercise6
—Advanced : exercise7 –exercise12 + α
2
Copyright©2016 JPCERT/CC All rights reserved.
Knowledge that will be useful
Good understanding of TCP/IP and major application
protocols
Basic understanding of Virus, Worms and Malware
How to use or have at least seen Wireshark
3
Knowledge that will be useful
Good understanding of TCP/IP and major application
protocols
Basic understanding of Virus, Worms and Malware
How to use or have at least seen Wireshark
3
Copyright©2016 JPCERT/CC All rights reserved.
Basics of
Network Security
Analysis
4
Basics of
Network Security
Analysis
4
Copyright©2016 JPCERT/CC All rights reserved.
What is Network Security Analysis?
“Network Analysis” for Security
—important activities for incident responders and security
analysts
Related to many security activities
—Network monitoring
To detect an on-going incident
—Network forensics
To find evidence in the specific incident
To recover a system
—Malware analysis
To discover the capability of a malware
—sending important data to a malicious server
—botcommand & control
5
What is Network Security Analysis?
“Network Analysis” for Security
—important activities for incident responders and security
analysts
Related to many security activities
—Network monitoring
To detect an on-going incident
—Network forensics
To find evidence in the specific incident
To recover a system
—Malware analysis
To discover the capability of a malware
—sending important data to a malicious server
—botcommand & control
5
Copyright©2016 JPCERT/CC All rights reserved.
Network Security Analysis–Flow based
Features
—Focus on network flow/traffic instead of each packet
—Good approach to get high level overview or ‘important
point
Tools / Techniques
—Netflow/ sFlow
—MRTG/RRDTool
—etc…
6
Network Security Analysis–Flow based
Features
—Focus on network flow/traffic instead of each packet
—Good approach to get high level overview or ‘important
point
Tools / Techniques
—Netflow/ sFlow
—MRTG/RRDTool
—etc…
6
Copyright©2016 JPCERT/CC All rights reserved.
Network Security Analysis-Packet Based summary
Features
—Focus on each packet or a group of packets
—Can analyze thoroughly but high cost (time)
Tools / Techniques
—tcpdump
—Wireshark / tshark
—etc…
Main Focus of this training
7
Network Security Analysis-Packet Based summary
Features
—Focus on each packet or a group of packets
—Can analyze thoroughly but high cost (time)
Tools / Techniques
—tcpdump
—Wireshark / tshark
—etc…
Main Focus of this training
7
Copyright©2016 JPCERT/CC All rights reserved.
Wireshark
8
Wireshark
8
Copyright©2016 JPCERT/CC All rights reserved.
About Wireshark
Free !!
Runs on many OSs
—Windows / Linux / *BSD / Solaris and others
User Interface
—GUI –3pane (Packet list / Packet details / Packet Bytes)
—CUI version : tshark
Many features
—Search / Filter / Colorize / Statistics and many others
Download Wireshark
—https://www.wireshark.org/download.html
9
About Wireshark
Free !!
Runs on many OSs
—Windows / Linux / *BSD / Solaris and others
User Interface
—GUI –3pane (Packet list / Packet details / Packet Bytes)
—CUI version : tshark
Many features
—Search / Filter / Colorize / Statistics and many others
Download Wireshark
—https://www.wireshark.org/download.html
9
Copyright©2016 JPCERT/CC All rights reserved.
Introduction to Wireshark
Some features of Wireshark that will be used in the
exercises.
“Analyze” => “Follow TCP Stream”
—See data from a TCP stream in the way the application
layer sees it. Very handy tool for looking at data streams.
“Statistics” => “Conversations”
—A tabbed window separated by protocol, shows statistics
for each protocol. Amount of data, time, etc. is shown here.
Filters
—Filters come in handy when you want to see one aspect of
the capture. Maybe you want to see just packets originating
from a certain port.
** Using a combination of the above features should allow you to solve most of
the exercises that follow
10
Introduction to Wireshark
Some features of Wireshark that will be used in the
exercises.
“Analyze” => “Follow TCP Stream”
—See data from a TCP stream in the way the application
layer sees it. Very handy tool for looking at data streams.
“Statistics” => “Conversations”
—A tabbed window separated by protocol, shows statistics
for each protocol. Amount of data, time, etc. is shown here.
Filters
—Filters come in handy when you want to see one aspect of
the capture. Maybe you want to see just packets originating
from a certain port.
** Using a combination of the above features should allow you to solve most of
the exercises that follow
10
Copyright©2016 JPCERT/CC All rights reserved.
Sample filters
tcp.port==443
—TCP connections with source or destination port of 443
—Adding source / destination option can be done by
tcp.srcport/ tcp.dstport
tcp.flags.syn==1
—TCP SYN packets
—Above will also include ACK packets, to remove ACK packets add
tcp.flags.ack==0 using &&
ip.src==10.0.0.12
—Connections with source IP 10.0.0.12
—Changing “src” to “dst” will change to destination IP
Combinations of the above are possible using:
—“||” –or, “&&” –and
—Ex: ip.src==10.0.0.12 && tcp.dstport==80
11
Sample filters
tcp.port==443
—TCP connections with source or destination port of 443
—Adding source / destination option can be done by
tcp.srcport/ tcp.dstport
tcp.flags.syn==1
—TCP SYN packets
—Above will also include ACK packets, to remove ACK packets add
tcp.flags.ack==0 using &&
ip.src==10.0.0.12
—Connections with source IP 10.0.0.12
—Changing “src” to “dst” will change to destination IP
Combinations of the above are possible using:
—“||” –or, “&&” –and
—Ex: ip.src==10.0.0.12 && tcp.dstport==80
11
Copyright©2016 JPCERT/CC All rights reserved.
Analysis environment for the exercises
Attention!!
—Some pcapfiles for exercises include malicious data.
—These files or data may trigger your anti-virus detection
—Using a virtual environment is recommended
e.gVirtualBox/ VMware
Recommendations
—Wireshark + Supplementary tools (base64 decoder, etc.)
12
Analysis environment for the exercises
Attention!!
—Some pcapfiles for exercises include malicious data.
—These files or data may trigger your anti-virus detection
—Using a virtual environment is recommended
e.gVirtualBox/ VMware
Recommendations
—Wireshark + Supplementary tools (base64 decoder, etc.)
12
Copyright©2016 JPCERT/CC All rights reserved.
Capturing network
Try to access
URL : http://blog.jpcert.or.jp/
13
Capturing network
Try to access
URL : http://blog.jpcert.or.jp/
13
Copyright©2016 JPCERT/CC All rights reserved.
Exercises
14
Exercises
14
Copyright©2016 JPCERT/CC All rights reserved.
Part 1
Basic
15
Part 1
Basic
15
Copyright©2016 JPCERT/CC All rights reserved.
Exercise1
Good Old Telnet
16
Exercise1
Good Old Telnet
16
Copyright©2016 JPCERT/CC All rights reserved.
Good Old Telnet
File
—01-telnet.pcap
Question
—Reconstruct the telnet session.
Q1. 192.168.0.1 is a telnet __________.
192.168.0.2 is a telnet __________.
Q2: Who logged into 192.168.0.1 ?
—Username __________, Password __________ .
Q3: After logged in what did the user do?
17
Copyright® 2011 JPCERT/CC All rights reserved.
Good Old Telnet
File
—01-telnet.pcap
Question
—Reconstruct the telnet session.
Q1. 192.168.0.1 is a telnet __________.
192.168.0.2 is a telnet __________.
Q2: Who logged into 192.168.0.1 ?
—Username __________, Password __________ .
Q3: After logged in what did the user do?
17
Copyright® 2011 JPCERT/CC All rights reserved.
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 2
Massive TCP SYN
18
Exercise 2
Massive TCP SYN
18
Copyright©2016 JPCERT/CC All rights reserved.
Massive TCP SYN
File
—02-massivesyn1.pcap
—02-massivesyn2.pcap
Question
—Point out the difference in the two captures.
—Q1:02-massivesyn1.pcap
is a ____________ attempt.
—Q2: 02-massivesyn2.pcap
is a ____________ attempt.
Tip
—Pay attention to SrcIP and DstPort
19
Massive TCP SYN
File
—02-massivesyn1.pcap
—02-massivesyn2.pcap
Question
—Point out the difference in the two captures.
—Q1:02-massivesyn1.pcap
is a ____________ attempt.
—Q2: 02-massivesyn2.pcap
is a ____________ attempt.
Tip
—Pay attention to SrcIP and DstPort
19
Copyright©2016 JPCERT/CC All rights reserved.
Tips: About SYN flood
20
TCP 3 way hand shake
Client
Server
SYN
SYN/ACK
ACK
Connection
Success!
Server
SYN
SYN/ACK
SYN flood
Attacker
Wait
ACK
Client
SYN
No
reply
Tips: About SYN flood
20
TCP 3 way hand shake
Client
Server
SYN
SYN/ACK
ACK
Connection
Success!
Server
SYN
SYN/ACK
SYN flood
Attacker
Wait
ACK
Client
SYN
No
reply
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 3
Chatty Employees
21
Exercise 3
Chatty Employees
21
Copyright©2016 JPCERT/CC All rights reserved.
Chatty Employees
File
—03-chat.pcap
Question
—Q1: What protocol is being used? _______
—Q2: This is conversation between [email protected]
[email protected]
—Q3: What do they say about you (sysadmin)?
Tip
—Your chat log can be monitored by network admin.
22
Chatty Employees
File
—03-chat.pcap
Question
—Q1: What protocol is being used? _______
—Q2: This is conversation between [email protected]
[email protected]
—Q3: What do they say about you (sysadmin)?
Tip
—Your chat log can be monitored by network admin.
22
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 4
Suspicious FTP activity
23
Exercise 4
Suspicious FTP activity
23
Copyright©2016 JPCERT/CC All rights reserved.
Suspicious FTP activity
File
—04-ftp1.pcap
Question
—Q1: FTP server’s IP address is ___.___.___.___ .
—Q2: FTP client’s IP address is ___.___.___.___.
—Q3: FTP Err Code 530 means __________ .
—Q4: 10.234.125.254 is attempting to ________.
Tip
—How many login errors are allowed within a minute?
24
Suspicious FTP activity
File
—04-ftp1.pcap
Question
—Q1: FTP server’s IP address is ___.___.___.___ .
—Q2: FTP client’s IP address is ___.___.___.___.
—Q3: FTP Err Code 530 means __________ .
—Q4: 10.234.125.254 is attempting to ________.
Tip
—How many login errors are allowed within a minute?
24
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 5
Unidentified Traffic
25
Exercise 5
Unidentified Traffic
25
Copyright©2016 JPCERT/CC All rights reserved.
Unidentified Traffic
File
—05-Foobar.pcap
Question
—Q1: Which application uses TCP/6346?
—Q2: How many servers was 10.1.4.176 trying to connect to?
—Q3: Which machines could 10.1.4.176 successfully connect
to (at least at the TCP/IP level)?
26
Unidentified Traffic
File
—05-Foobar.pcap
Question
—Q1: Which application uses TCP/6346?
—Q2: How many servers was 10.1.4.176 trying to connect to?
—Q3: Which machines could 10.1.4.176 successfully connect
to (at least at the TCP/IP level)?
26
Copyright©2016 JPCERT/CC All rights reserved.
Tips: HTTPS handshake
27
HTTPS handshake
Client Server
ClientHello
ServerHello
Certificate
ServerhelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application
Data
(Encrypted)
Tips: HTTPS handshake
27
HTTPS handshake
Client Server
ClientHello
ServerHello
Certificate
ServerhelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application
Data
(Encrypted)
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 6
Comparing traffic
28
Exercise 6
Comparing traffic
28
Copyright©2016 JPCERT/CC All rights reserved.
Comparing traffic
Scenario
—You’re an IT admin of company X. You get a report that
Jim (a new employee) can not browse or email with his
laptop. After researching, you found that Risa, sitting next
to Jim, can brose without any problem.
File
—06-Risa.pcap
—06-Jim.pcap
Question
—Compare the capture files from both machines and find out
why Jim’s machine is not online.
—Jim must _____________________________
Tip
—Pay attention to the first ARP packet.
29
Comparing traffic
Scenario
—You’re an IT admin of company X. You get a report that
Jim (a new employee) can not browse or email with his
laptop. After researching, you found that Risa, sitting next
to Jim, can brose without any problem.
File
—06-Risa.pcap
—06-Jim.pcap
Question
—Compare the capture files from both machines and find out
why Jim’s machine is not online.
—Jim must _____________________________
Tip
—Pay attention to the first ARP packet.
29
Copyright©2016 JPCERT/CC All rights reserved.
Tips: AboutARP(Address Resolution Protocol)
30
IP:192.168.0.2
MAC:8C-70-5A-53-21-0C
IP:192.168.0.3
MAC:00-1B-63-74-4C-2C
IP:192.168.0.4
MAC:00-1A-44-23-12-B5
IP:192.168.0.5
MAC:00-17-AB-BE-28-1D
I would like to communicate with 192.168.0.5.
Where is 192.168.0.5?
So I send ARP packet.
Ethernet
I’m not 192.168.0.5.
I discard this ARP packet.
I’m not 192.168.0.5.
I discard this ARP packet.
I’m 192.168.0.5.
I have to response this ARP packet.
I send MAC address (00-17-AB-BE-28-1D)
To communicate across the LAN to the connected computers, IP packets at a lower layer
Information on the MAC address from being transmitted on the L2 header is added is required.
Then, the Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of Internet
layer addresses into link layer addresses, a critical function in multiple-access.
ARP is used for mapping a network address (IPv4 address) to a physical address like an Ethernet address
(MAC address).
1
2
Tips: AboutARP(Address Resolution Protocol)
30
IP:192.168.0.2
MAC:8C-70-5A-53-21-0C
IP:192.168.0.3
MAC:00-1B-63-74-4C-2C
IP:192.168.0.4
MAC:00-1A-44-23-12-B5
IP:192.168.0.5
MAC:00-17-AB-BE-28-1D
I would like to communicate with 192.168.0.5.
Where is 192.168.0.5?
So I send ARP packet.
Ethernet
I’m not 192.168.0.5.
I discard this ARP packet.
I’m not 192.168.0.5.
I discard this ARP packet.
I’m 192.168.0.5.
I have to response this ARP packet.
I send MAC address (00-17-AB-BE-28-1D)
To communicate across the LAN to the connected computers, IP packets at a lower layer
Information on the MAC address from being transmitted on the L2 header is added is required.
Then, the Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of Internet
layer addresses into link layer addresses, a critical function in multiple-access.
ARP is used for mapping a network address (IPv4 address) to a physical address like an Ethernet address
(MAC address).
1
2
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 7
What’s going on
31
Exercise 7
What’s going on
31
Copyright©2016 JPCERT/CC All rights reserved.
What’s going on
Scenario
—When you access http://yourhost/cgi-bin/log_backup.cgi
you can backup your server’s access log
—You’re checking pcapdata and you find suspicious
activity…
File
—whats_going_on.pcap
Question
—What did attacker do on the victim PC ?
________________________________________________
—What is this attack vector known as ?
________________________________________________
Tip
—Please ask google.
What’s going on
Scenario
—When you access http://yourhost/cgi-bin/log_backup.cgi
you can backup your server’s access log
—You’re checking pcapdata and you find suspicious
activity…
File
—whats_going_on.pcap
Question
—What did attacker do on the victim PC ?
________________________________________________
—What is this attack vector known as ?
________________________________________________
Tip
—Please ask google.
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 8
Web Application Framework
Vulnerability
33
Exercise 8
Web Application Framework
Vulnerability
33
Copyright©2016 JPCERT/CC All rights reserved.
Questions
Scenario
—One day, you discovered suspicious access log in your
Application Server. It looks some attack activities against
your Web Application.
File
—1x-WebApp_exploit.pcap
Question
—Q1: Victim’s IP Address is ___________.
—Q2: Attacker’s IP Address is ___________.
—Q3: Which software seemed to be the target of this exploit?
—Q4: What kind of malicious activity was executed after the
exploit?
34
Questions
Scenario
—One day, you discovered suspicious access log in your
Application Server. It looks some attack activities against
your Web Application.
File
—1x-WebApp_exploit.pcap
Question
—Q1: Victim’s IP Address is ___________.
—Q2: Attacker’s IP Address is ___________.
—Q3: Which software seemed to be the target of this exploit?
—Q4: What kind of malicious activity was executed after the
exploit?
34
Copyright©2016 JPCERT/CC All rights reserved.
Part2
Advanced
35
Part2
Advanced
35
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 9
Behind the scenes…
36
Exercise 9
Behind the scenes…
36
Copyright©2016 JPCERT/CC All rights reserved.
Behind the scenes…
File
—07-arp.pcap
Question
—Q1: What is the attacker’s IP address and MAC address?
—Q2: What is the direct victim’s IP address and MAC address?
—Q3: What is the victim’s role in this network?
—Q4: What type of packet was malicious in this attack?
—Q5: What type of attack was happening?
—Q6: Was this attack successful or not?
—Q7: What kind of countermeasures may be useful for this attack?
37
Behind the scenes…
File
—07-arp.pcap
Question
—Q1: What is the attacker’s IP address and MAC address?
—Q2: What is the direct victim’s IP address and MAC address?
—Q3: What is the victim’s role in this network?
—Q4: What type of packet was malicious in this attack?
—Q5: What type of attack was happening?
—Q6: Was this attack successful or not?
—Q7: What kind of countermeasures may be useful for this attack?
37
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 10
Someone is already in…
38
Exercise 10
Someone is already in…
38
Copyright©2016 JPCERT/CC All rights reserved.
Someone is already in…
Scenario
—Alice is a web master. The other day, she browsed several web
sites using the same PC for document uploading. Unfortunately
one of sites which she visited was defaced and her PC was
infected with malware but she was unaware of the infection.
File
—08-gumblar1.pcap
Question
—Q1: What is the malicious server’s IP address?
—Q2: What kind of malicious activity did this malware perform?
39
Someone is already in…
Scenario
—Alice is a web master. The other day, she browsed several web
sites using the same PC for document uploading. Unfortunately
one of sites which she visited was defaced and her PC was
infected with malware but she was unaware of the infection.
File
—08-gumblar1.pcap
Question
—Q1: What is the malicious server’s IP address?
—Q2: What kind of malicious activity did this malware perform?
39
Copyright©2016 JPCERT/CC All rights reserved.
Tips : About gumblar
Attacking web browser or add-ons
4. Information theft
1. Inject malicious JavaScript
into web contents
2. Redirects to attack
site in background
3. Attacks
vulnerabilities
Tips : About gumblar
Attacking web browser or add-ons
4. Information theft
1. Inject malicious JavaScript
into web contents
2. Redirects to attack
site in background
3. Attacks
vulnerabilities
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 11
Something is stolen…
41
Exercise 11
Something is stolen…
41
Copyright©2016 JPCERT/CC All rights reserved.
Something is stolen…
Scenario
—Alice cleaned up her pc from infection. But unfortunately, her
PC was re-infected by a different malware. This malware
seems to be sending some information
File
—09-gumblar2.pcap
Question
—Q1: Malicious server’s IP address is ___.___.___.___
—Q2: Data sent by malware includes:
(1)____, (2)____, (3)____, (4)_____
42
Something is stolen…
Scenario
—Alice cleaned up her pc from infection. But unfortunately, her
PC was re-infected by a different malware. This malware
seems to be sending some information
File
—09-gumblar2.pcap
Question
—Q1: Malicious server’s IP address is ___.___.___.___
—Q2: Data sent by malware includes:
(1)____, (2)____, (3)____, (4)_____
42
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 12
Aurora
43
Exercise 12
Aurora
43
Copyright©2016 JPCERT/CC All rights reserved.
Aurora
Scenario
—One day, you discovered suspicious activity in your
network. It looks like someone was infected by a web-
based attack.
File
—10-aurora.pcap
Question
—Q1: Which site and which page was defaced?
—Q2: Which URL looks malicious?
—Q3: Which software seemed to be the target of this exploit?
44
Aurora
Scenario
—One day, you discovered suspicious activity in your
network. It looks like someone was infected by a web-
based attack.
File
—10-aurora.pcap
Question
—Q1: Which site and which page was defaced?
—Q2: Which URL looks malicious?
—Q3: Which software seemed to be the target of this exploit?
44
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 13
SSL Storm?
45
Exercise 13
SSL Storm?
45
Copyright©2016 JPCERT/CC All rights reserved.
SSL storm?
Scenario
—One day you discovered one client inyour network has sent many
packets outbound from your network via 443/tcp.
File
—11-massive443.pcap
Question
—Q1: How many sites did this client send packets to?
—Q2: Which TCP port did this client send packets other than using
443/tcp?
—Q3: Which protocol seemed to be used for the session via the port in
Q2?
—Q4: Are there any differences between packets sent via 443/tcpin this
pcapand normal SSL?
Please compare to 11-normalssl.pcap
Please ignore SSL version difference.
46
SSL storm?
Scenario
—One day you discovered one client inyour network has sent many
packets outbound from your network via 443/tcp.
File
—11-massive443.pcap
Question
—Q1: How many sites did this client send packets to?
—Q2: Which TCP port did this client send packets other than using
443/tcp?
—Q3: Which protocol seemed to be used for the session via the port in
Q2?
—Q4: Are there any differences between packets sent via 443/tcpin this
pcapand normal SSL?
Please compare to 11-normalssl.pcap
Please ignore SSL version difference.
46
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 14
Zero and Infinite
47
Exercise 14
Zero and Infinite
47
Copyright©2016 JPCERT/CC All rights reserved.
Zero and Infinite (1)
Scenario
—One day you are claimed by a user that he couldn’t
connect the organization’s web server. Soon after this, you
confirmed the situation, the web server couldn’t any reply
to requests. You need to identify and solve the problem
before you get a flood of claims.
File
—12-zerowindow.pcap
48
Zero and Infinite (1)
Scenario
—One day you are claimed by a user that he couldn’t
connect the organization’s web server. Soon after this, you
confirmed the situation, the web server couldn’t any reply
to requests. You need to identify and solve the problem
before you get a flood of claims.
File
—12-zerowindow.pcap
48
Copyright©2016 JPCERT/CC All rights reserved.
Zero and Infinite (2)
Question
—Apply the following display filter: (Just a filtering test!!)
Conversation between 10.0.0.12:14856 and 10.0.0.101:80
—Q1: What does the TCP ZeroWindowmean?
—Q2: How many TCP ZeroWindowpackets were used in this attack?
—Q3: What is the maximum speed (bps) in this attack? Is it
relatively high or low?
—Q4: Why is 10.0.0.101 sending several Keep-Alive packets after
receiving TCP ZeroWindowannouncement?
—Q5: How many sessions are finished or terminated during this
attack?
—Q6: Why could not the client get a reply from the server during this
attack?
—Q7: What type (or class) of attack has occurred?
—Q1
49
Zero and Infinite (2)
Question
—Apply the following display filter: (Just a filtering test!!)
Conversation between 10.0.0.12:14856 and 10.0.0.101:80
—Q1: What does the TCP ZeroWindowmean?
—Q2: How many TCP ZeroWindowpackets were used in this attack?
—Q3: What is the maximum speed (bps) in this attack? Is it
relatively high or low?
—Q4: Why is 10.0.0.101 sending several Keep-Alive packets after
receiving TCP ZeroWindowannouncement?
—Q5: How many sessions are finished or terminated during this
attack?
—Q6: Why could not the client get a reply from the server during this
attack?
—Q7: What type (or class) of attack has occurred?
—Q1
49
Copyright©2016 JPCERT/CC All rights reserved.
Exercise 15
Don’t ask me
50
Exercise 15
Don’t ask me
50
Copyright©2016 JPCERT/CC All rights reserved.
Don’t ask me
File
—13-dns.pcap
Question
—Q1: How big is the DNS reply packet?
—Q2: Which machines are the victims?
—Q3: What is the role of the DNS servers in this attack?
—Q4: What type of packet triggered the problem?
—Q5: What type of attack was happening here?
—Q6: What kind of countermeasures may be effective for this
attack?
51
Don’t ask me
File
—13-dns.pcap
Question
—Q1: How big is the DNS reply packet?
—Q2: Which machines are the victims?
—Q3: What is the role of the DNS servers in this attack?
—Q4: What type of packet triggered the problem?
—Q5: What type of attack was happening here?
—Q6: What kind of countermeasures may be effective for this
attack?
51
Copyright©2016 JPCERT/CC All rights reserved.
Bonus
Exercise
52
Bonus
Exercise
52
Copyright©2016 JPCERT/CC All rights reserved.
Bonus Exercise
File
—20-gumblar-all.pcap
Question
—Analyze the pcapfile and reconstruct the incident
What kind of sites are related to this incident
Identify the role of each sites
Reconstruct attack scenario (Provide a network diagram)
Tips
—Please use knowledge you used for
Exercise 8 & 9 again.
53
Bonus Exercise
File
—20-gumblar-all.pcap
Question
—Analyze the pcapfile and reconstruct the incident
What kind of sites are related to this incident
Identify the role of each sites
Reconstruct attack scenario (Provide a network diagram)
Tips
—Please use knowledge you used for
Exercise 8 & 9 again.
53
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 5
- Slides 53
- Age 275 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views