212-82 Question #30: Real Exam Question with Answer & Explanation

Question

An attacker with malicious intent used SYN flooding technique to disrupt the network and gain advantage over the network to bypass the Firewall. You are working with a security architect to design security standards and plan for your organization. The network traffic was captured by the SOC team and was provided to you to perform a detailed analysis. Study the Synflood.pcapng file and determine the source IP address. Note: Synflood.pcapng file is present in the Documents folder of Attacker-1 machine.

Options

• A20.20.10.180
• B20.20.10.19
• C20.20.10.60
• D20.20.10.59

Explanation

20.20.10.19 is the source IP address of the SYN flooding attack in the above scenario. SYN flooding is a type of denial-of-service (DoS) attack that exploits the TCP (Transmission Control Protocol) three-way handshake process to disrupt the network and gain advantage over the network to bypass the firewall. SYN flooding sends a large number of SYN packets with spoofed source IP addresses to a target server, causing it to allocate resources and wait for the corresponding ACK packets that never arrive. This exhausts the server's resources and prevents it from accepting legitimate requests.To determine the source IP address of the SYN flooding attack, one has to follow these steps: Navigate to the Documents folder of Attacker-1 machine. Double-click on Synflood.pcapng file to open it with Wireshark. Click on Statistics menu and select Conversations option. Click on TCP tab and sort the list by Bytes column in descending order. Observe the IP address that has sent the most bytes to 20.20.10.26 (target server). The IP address that has sent the most bytes to 20.20.10.26 is 20.20.10.19 , which is the source IP address of the SYN flooding attack.

No community discussion yet for this question.