312-50V10 · Question #198
The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: What type of activity has been logged?
The correct answer is D. Port scan targeting 192.168.1.106. The log file shows sequential connection attempts across multiple ports originating from an external host directed at 192.168.1.106, which is characteristic of a port scan against that machine.
Question
The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:
What type of activity has been logged?
Exhibit
Options
- APort scan targeting 192.168.1.103
- BTeardrop attack targeting 192.168.1.106
- CDenial of service attack targeting 192.168.1.103
- DPort scan targeting 192.168.1.106
How the community answered
(36 responses)- A3% (1)
- B8% (3)
- C3% (1)
- D86% (31)
Why each option
The log file shows sequential connection attempts across multiple ports originating from an external host directed at 192.168.1.106, which is characteristic of a port scan against that machine.
A port scan targeting 192.168.1.103 would appear in logs on that machine, not on 192.168.1.106, and 192.168.1.103 would be the destination address.
A Teardrop attack exploits fragmented IP packets to crash a system and would show malformed fragment log entries, not sequential port connection attempts.
A denial of service attack would manifest as a flood of traffic overwhelming the target, not as the methodical port-by-port probe pattern characteristic of a scan.
A port scan is identified in logs by a single source IP making rapid, sequential connection attempts to many different ports on a single destination IP. Since the log was captured on the machine at 192.168.1.106 and shows this pattern of inbound probes, the target of the scan is 192.168.1.106 itself. This distinguishes it from an outbound scan, where 192.168.1.106 would appear as the source.
Concept tested: Port scan identification from network log analysis
Source: https://nmap.org/book/man-port-scanning-basics.html
Topics
Community Discussion
No community discussion yet for this question.
