Wireshark log analysis to detect and report a DoS SYN Flood Attack | Network Traffic Analysis, Network Security, Network Protocols, Wireshark, Documentation
In this hands-on activity from the Google Cybersecurity Certificate, I simulated being a security analyst in a fictional travel agency that advertises sales and promotions on the company’s website, tasked with investigating a network attack using a Wireshark log and filling an incident report. The scenario was described like this:
“You work as a security analyst for a travel agency that advertises sales and promotions on the company’s website. The employees of the company regularly access the company’s sales webpage to search for vacation packages their customers might like.
One afternoon, you receive an automated alert from your monitoring system indicating a problem with the web server. You attempt to visit the company’s website, but you receive a connection timeout error message in your browser.
You use a packet sniffer to capture data packets in transit to and from the web server. You notice a large number of TCP SYN requests coming from an unfamiliar IP address. The web server appears to be overwhelmed by the volume of incoming traffic and is losing its ability to respond to the abnormally large number of SYN requests. You suspect the server is under attack by a malicious actor.
You take the server offline temporarily so that the machine can recover and return to a normal operating status. You also configure the company’s firewall to block the IP address that was sending the abnormal number of SYN requests. You know that your IP blocking solution won’t last long, as an attacker can spoof other IP addresses to get around this block. You need to alert your manager about this problem quickly and discuss the next steps to stop this attacker and prevent this problem from happening again. You will need to be prepared to tell your boss about the type of attack you discovered and how it was affecting the web server and employees.”
The log in question showed the following:
No. Time Source Destination Protocol Info
52 3.390692 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0..
53 3.441926 192.0.2.1 203.0.113.0 TCP 443->54770 [SYN, ACK] Seq=0 Win-5792 Len=120...
54 3.493160 203.0.113.0 192.0.2.1 TCP 54770->443 [ACK Seq=1 Win=5792 Len=0...
55 3.544394 198.51.100.14 192.0.2.1 TCP 14785->443 [SYN] Seq=0 Win-5792 Len=120...
56 3.599628 192.0.2.1 198.51.100.14 TCP 443->14785 [SYN, ACK] Seq=0 Win-5792 Len=120...
57 3.664863 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
58 3.730097 198.51.100.14 192.0.2.1 TCP 14785->443 [ACK] Seq=1 Win-5792 Len=120...
59 3.795332 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win-5792 Len=120...
60 3.860567 198.51.100.14 192.0.2.1 HTTP GET /sales.html HTTP/1.1
61 3.939499 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win-5792 Len=120...
62 4.018431 192.0.2.1 198.51.100.14 HTTP HTTP/1.1 200 OK (text/html)
63 4.097363 198.51.100.5 192.0.2.1 TCP 33638->443 [SYN] Seq=0 Win-5792 Len=120...
64 4.176295 192.0.2.1 203.0.113.0 TCP 443->54770 [SYN, ACK] Seq=0 Win-5792 Len=120...
65 4.255227 192.0.2.1 198.51.100.5 TCP 443->33638 [SYN, ACK] Seq=0 Win-5792 Len=120...
66 4.256159 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
67 5.235091 198.51.100.5 192.0.2.1 TCP 33638->443 [ACK] Seq=1 Win-5792 Len=120...
68 5.236023 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
69 5.236955 198.51.100.16 192.0.2.1 TCP 32641->443 [SYN] Seq=0 Win-5792 Len=120...
70 5.237887 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
71 6.228728 198.51.100.5 192.0.2.1 HTTP GET /sales.html HTTP/1.1
72 6.229638 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
73 6.230548 192.0.2.1 198.51.100.16 TCP 443->32641 [RST, ACK] Seq=0 Win-5792 Len=120...
74 6.330539 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
75 6.330885 198.51.100.7 192.0.2.1 TCP 42584->443 [SYN] Seq=0 Win=5792 Len=0...
76 6.331231 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
77 7.330577 192.0.2.1 198.51.100.5 TCP HTTP/1.1 504 Gateway Time-out (text/html)
78 7.331323 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
79 7.340768 198.51.100.22 192.0.2.1 TCP 6345->443 [SYN] Seq=0 Win=5792 Len=0...
80 7.340773 192.0.2.1 198.51.100.7 TCP 443->42584 [RST, ACK] Seq=1 Win-5792 Len=120...
81 7.340778 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
82 7.340783 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
83 7.439658 192.0.2.1 203.0.113.0 TCP 443->54770 [RST, ACK] Seq=1 Win=5792 Len=0...
119 19.198705 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
120 19.521718 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
121 19.844731 192.0.2.1 198.51.100.9 TCP 443->4631 [RST, ACK] Seq=1 Win=5792 Len=0...
122 20.167744 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
123 20.490757 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
124 20.81377 192.0.2.1 203.0.113.0 TCP 443->54770 [RST, ACK] Seq=1 Win=5792 Len=0...
125 21.136783 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
126 21.459796 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
127 21.782809 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
128 22.105822 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
129 22.428835 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
130 22.751848 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
131 23.074861 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
132 23.397874 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
133 23.720887 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
134 24.0439 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
135 24.366913 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
136 24.689926 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
137 25.012939 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
138 25.335952 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
139 25.658965 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
140 25.981978 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
141 26.304991 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
142 26.628004 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
143 26.951017 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
144 27.27403 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
145 27.597043 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
146 27.920056 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
147 28.243069 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
148 28.566082 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
149 28.889095 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
150 29.212108 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
151 29.535121 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
152 29.858134 203.0.113.0 192.0.2.1 TCP 54770->443 [SYN] Seq=0 Win=5792 Len=0...
This is the report in question:
Cybersecurity Incident Report
| Section 1: Identify the type of attack that may have caused this network interruption |
|---|
One potential explanation for the website’s connection timeout error message is that the webserver is overwhelmed and thus unable to respond to user requests. Indeed, the log shows increasing SYN packet requests from the same unrecognized IP address (203.0.113.0) simulating legitimate TCP activity, along with the requests of recognized employee IP addresses (198.51.100.0/24); which gradually resulted in the web server being overwhelmed with SYN requests, and thus becoming unable to acknowledge and complete any requests. This abnormal event is very likely a DoS SYN flood attack, and requires immediate action to mitigate damage. |
| Section 2: Explain how the attack is causing the website to malfunction |
|---|
When website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol. Explain the three steps of the handshake: 1.The user sends a [SYN] (synchronize) packet to request a connection to the webpage hosted on the company web server. 2. The web server answers with a [SYN, ACK(acknowledge)] packet accepting the connection and reserves its system until the final part of the “handshake”. 3.The user’s device acknowledges the connection with a [ACK (acknowledge)] packet, thus establishing the connection and accessing the web server system. When a malicious actor sends a large number of SYN packets all at once, if the servers can’t process the amount of packets, it will become overwhelmed and thus unable to complete any request. That is why employees are being given the error message HTTP/1.1 504 Gateway Time-out (text/html), which in more technical terms means that the server instead of acknowledging the connection, asks the user to reset it with the [RST, ACK] packet. The log indicates an increasing and abnormal amount of SYN packets sent by an unrecognized IP (203.0.113.0), along with the SYN packet requests by employee addresses (198.51.100.0/24). The increasing amount of requests gradually taxes the web server capacity, thus at first slowing down the [SYN, ACK] packets and later outright causing the server to be overwhelmed and instead return [RST,ACK] packets. Eventually, if proper action is not taken the server will crash and business continuity will not be possible. This is dire since it would cost the company money, time and possibly reputation. |