Day 17 — “I Tawt I Taw A C2 Tat!”
The learning objectives for day 17 were:
•Gain knowledge of the network traffic data format
•Understand the differences between full packet captures and network flows
•Learn how to process network flow data
•Discover the SiLK tool suite
•Gain hands-on experience in network flow analysis with SiLK
In this task we had to find the attacker’s ip address by analysing the network traffic using the SiLK Suite tool. While analysing we noticed that there is high traffic volume on port 53, we found out from where the majority of the traffic was from using the stats, then we filtered all that use port 53 and found that 99% of the traffic was coming from just 2 ip’s. Then we saw there was over 10 DNS requests in less than a second. On further investigation we found that the ip was sending a series of SYN packets but doesn’t respond back with a ACK packet when a SYN-ACK packet is send. So we concluded this was a DOS attack.
Click here to see the walkthrough.
No comments:
Post a Comment