SCP Exam SC0-502 Topic 1 Question 5 Discussion

You are well along your way to getting the MegaCorp security up to what you consider an acceptable level. You feel the security is now solid enough that you can go ahead and some new tests and perform analysis on the network. You plug in your laptop and fire up Snort to see the traffic coming into the network. You plug in on the outside of the router, to see the unfiltered traffic that the network must deal with. In full promiscuous mode, you collect data for an hour, to filter through it later. Since you captured quite a bit of data, you filter out a few specific lines to analyze. 10\27-23:48:42.126886 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3C

10.0.10.237 -> 10.0.10.234 ICMP TTL:128 TOS:0x0 ID:1185 IpLen:20 DgmLen:36 Type:8 Code:0 ID:3 Seq:289

ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\27-

23:48:42.137906 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3C

10.0.10.237 -> 10.0.10.235 ICMP TTL:128 TOS:0x0 ID:1186 IpLen:20 DgmLen:36 Type:8 Code:0 ID:3 Seq:290

ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\27-

23:48:42.148642 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3C 10.0.10.237 -> 10.0.10.236 ICMP

TTL:128 TOS:0x0 ID:1187 IpLen:20 DgmLen:36 Type:8 Code:0 ID:3 Seq:291 ECHO

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\27-

23:48:42.167031 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3C

10.0.10.237 -> 10.0.10.238 ICMP TTL:128 TOS:0x0 ID:1190 IpLen:20 DgmLen:36 Type:8 Code:0 ID:3 Seq:292

ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\27-

23:48:42.177247 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3C

10.0.10.237 -> 10.0.10.239 ICMP TTL:128 TOS:0x0 ID:1191 IpLen:20 DgmLen:36 Type:8 Code:0 ID:3 Seq:293

ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.387953 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:1

TCP TTL:44 TOS:0x0 ID:24652 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.320917 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:2

TCP TTL:44 TOS:0x0 ID:52330 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.377933 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:3

TCP TTL:44 TOS:0x0 ID:10807 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.328200 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:4

TCP TTL:44 TOS:0x0 ID:40192 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.363859 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:5

TCP TTL:44 TOS:0x0 ID:20497 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.391163 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:6

TCP TTL:44 TOS:0x0 ID:30756 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

19:09:07.300794 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C 10.0.10.236:57228 -> 10.0.10.235:7

TCP TTL:44 TOS:0x0 ID:3946 IpLen:20 DgmLen:40 ******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:52:16.979681 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3E 10.0.10.237:1674 ->

10.0.10.234:31337 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20 DgmLen:48 ******S* Seq: 0x3F2FE2CC Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:52:16.999652 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3E 10.0.10.237:1675 ->

10.0.10.235:31337 TCP TTL:128 TOS:0x0 ID:5278 IpLen:20 DgmLen:48 ******S* Seq: 0x3F30DB1F Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:52:17.019680 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3E 10.0.10.237:1676 ->

10.0.10.236:31337 TCP TTL:128 TOS:0x0 ID:5279 IpLen:20 DgmLen:48 ******S* Seq: 0x3F3183AE Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:52:17.059669 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3E 10.0.10.237:1678 ->

10.0.10.238:31337 TCP TTL:128 TOS:0x0 ID:5282 IpLen:20 DgmLen:48 ******S* Seq: 0x3F332EC2 Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:52:17.079821 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3E 10.0.10.237:1679 ->

10.0.10.239:31337 TCP TTL:128 TOS:0x0 ID:5283 IpLen:20 DgmLen:48 ******S* Seq: 0x3F3436FA Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:45:18.733562 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3E 10.0.10.237:1646 ->

10.0.10.234:12345 TCP TTL:128 TOS:0x0 ID:4974 IpLen:20 DgmLen:48 ******S* Seq: 0x38E326F7 Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:45:18.753691 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3E 10.0.10.237:1647 ->

10.0.10.235:12345 TCP TTL:128 TOS:0x0 ID:4975 IpLen:20 DgmLen:48 ******S* Seq: 0x38E3D2D0 Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:45:18.773781 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3E 10.0.10.237:1648 ->

10.0.10.236:12345 TCP TTL:128 TOS:0x0 ID:4976 IpLen:20 DgmLen:48 ******S* Seq: 0x38E4CF5C Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:45:18.813837 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3E 10.0.10.237:1650 ->

10.0.10.238:12345 TCP TTL:128 TOS:0x0 ID:4979 IpLen:20 DgmLen:48 ******S* Seq: 0x38E692B6 Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + 10\28-

01:45:18.833772 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3E 10.0.10.237:1651 ->

10.0.10.239:12345 TCP TTL:128 TOS:0x0 ID:4980 IpLen:20 DgmLen:48 ******S* Seq: 0x38E7211C Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= + Looking at the types of traffic that are hitting your network, what types of attacks are you dealing with, and what is the best solution for mitigating those attacks?}