Table of Contents

TYPE OF ATTACK..................................................................................................................................2
Full traffic analysis....................................................................................................................................4
TCP RST attack:......................................................................................................................................4
Extension Length 0<8 (Network Time Protocol):....................................................................................4
ACKed Segment that was Not Captured:.................................................................................................5
This Frame is Suspected Retransmission:................................................................................................6
This Acknowledgment Number Field Is Nonzero While the ACK Flag Is Set:.......................................7
TCP Duplicate Acknowledgment:...........................................................................................................8
SYN flood attack:....................................................................................................................................8
SYN+ACK Attack:................................................................................................................................11
TCP FIN Packets Attack:.......................................................................................................................12
HTTP Analysis:.......................................................................................................................................12
HTTP Response Splitting Attack:..........................................................................................................14
Identification of Initial Compromise:....................................................................................................15
................................................................................................................................................................... 16
Attribution of The Attack:......................................................................................................................16
Recommendation to the Forensic Investigations Team:.......................................................................18
TYPE OF ATTACK
While finding the type of attack, first of all I open Wireshark and in the task bar pane I click on
the analyze section under analyze section I click on the expert information section and I see that
there are a lot of malicious traffic in the provided network capture. The below screenshots show
the evidence of the malicious traffic:

From the above figure I found that there are a lot of malicious packets such as TCP connection
reset attack, extension length 0<8, ACKed segments not captured, this Frame is a (suspected)
retransmission, the acknowledgement number field is nonzero while the ACK flag is not set, this
Frame is a (suspected) spurious retransmission, Duplicate acknowledgment, this session reuses
previously negotiated keys, connection finish (FIN), connection establish request (SYN) and
connection establish acknowledge (SYN+ACK).

In the below screenshot some other malicious traffic is seen such as HTTP malicious GET and
POST packets:

From all the above analysis I conclude that there are two types of attack launched by attacker the
first one is DOS or DDOS attack and in the second attack a malware is downloaded by someone
in the company. Both the attacks will be explained below in detail.
Full traffic analysis
In this step I will analyze full traffic to detect anomalies and other points of interest. I will
analyze the traffic using the expert information section of Wireshark.

TCP RST attack:

It is also called forged TCP reset or TCP reset attack. This is a way to tamper and terminate the
internet connectivity by sending a forged TCP reset packet. This attack is started from packet
number 98 and end with packet number 52414. This attack is consisting of 267 packets. The
attacker’s IP address is 10.2.12.101 and the victim’s IP address is 10.2.12.12 as shown in the
below two screenshots:

Extension Length 0<8 (Network Time Protocol):

Network Time Protocol operates on UDP, the network of NTP normally acquires its time from
an authoritative time source like a clock or an atomic clock attached to a time server. Network
Time Protocol then give out this time throughout the network. In this captured traffic the NTP
extension length is 0<8 so it is malicious NTP traffic. It can be utilized in distribute denial of
services (DDOs) amplification attacks. In this attack the attacker’s IP address is 10.2.12.101 and
the victim’s IP address is 10.2.12.12 as shown in the below two screenshots:

ACKed Segment that was Not Captured:

This means that these packets acknowledge data that was not captured. It was sent okay, and the
receiver acknowledges it, maybe it is happening when the sender sends the data with a speed
faster than that of the receiver i.e., the sender window is not same as the receiver window. This
also led to a DDOs attack, in this attack the attacker’s IP address is 10.2.12.101 and the victim’s
IP address is 10.2.12.12 as shown in the below two screenshots:
This Frame is Suspected Retransmission:

TCP connects network devices to the internet. When an outbound segment is handed down to an
IP and there is no acknowledgment for the data before TCP's automatic timer expires, the
segment is retransmitted. This actually happens all the time, and typically does not cause much
of a problem: as the retransmission timer counts down, the packets are resent, and the network
continues to hum along. The below diagram shows the normal retransmission of TCP packets.
This attack unpredictable filled the data utilization of a target reader by deliberately
retransmitting packets in the flow even without original packet losses. In this attack the attacker
first sends a phishing message to a destination user with the URL that leading to a suspected site.
When a client clicks on the link, he is redirected to a suspected website by the browser which
augment the utilization by bogus packet retransmission. At the topmost layer (Application), the
server sends the requested content to the user in an ordinary TCP connection, so the user does
not guess any sign of attack. Nevertheless, the underlying tampered TCP on the server acts as if
it did not receive any ACKs from the user or as if its RTO fired preterm and introduce
retransmitted packets in the background. This attack does not need concede the user or any
intermediate node. As long as the client is redirected to a suspected web server (by means of 3rd
party advertisements, phishing emails, or messages), the intruder can introduce any number of
retransmission packets, which does not violate the TCP semantics. In this captured traffic there
are 133 retransmission packets.

The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 10.2.12.12 as shown in the
below screenshot:

This Acknowledgment Number Field Is Nonzero While the ACK Flag Is Set:
This is used to launch a TCP session hijacking attack which is also a DOS attack. In this attack
the attacker sends packets with the acknowledgment number filed is nonzero but the ACK flag is
set to 1. In this captured traffic 82 packets contain this type of information. The attacker’s IP
address is 10.2.12.101 and the victim’s IP address is 10.2.12.12 as shown in the below
screenshot:

TCP Duplicate Acknowledgment:

A duplicate acknowledgment is used to launch an ACK flood attack in which the intruder tries to
overburden a server with TCP ACK packets. Like other DDoS attacks, the aim of an ACK flood
is to deny service to legitimate clients by slowing down or crashing the victim system or server
utilizing garbage data. The victim server has to handle each ACK packet received, which utilizes
so much computing power that it is unable to provide serveries to legal clients. There are five
duplicate acknowledgments naming Duplicate ACK#1, ACK#2, ACK#3, ACK#4 and ACK#5
with number of packets (33,31, 15, 13 and 12). In this attack the intruder compromised the
victim server in which the attacker’s IP address is 10.2.12.101 and the victim’s IP address is
10.2.12.12 as shown in the below screenshot:
SYN flood attack:

A SYN flood occurs when a host becomes so overwhelmed by SYN segments initiating
incomplete connection requests that it can no longer process legitimate connection requests. It is
a type of Dos attack. This attack is launched on various ports of the server the first port is 389
consist of 25 packets with SYN flag is set to 1. The attacker’s IP address is 10.2.12.101 and the
victim’s IP address is 10.2.12.12 as shown in the below screenshot:
The below screenshot shows the server port is 445 consist of 13 packets with SYN flag is set to
1. The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 10.2.12.12:

The below screenshot shows the server port is 135 consist of 15 packets with SYN flag is set to
1. The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 10.2.12.12:
The below screenshot shows the server port is 80 consist of 52 packets with SYN flag is set to 1.
The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 72.21.91.29:

The below screenshot shows the server port is 25 consist of 20 packets with SYN flag is set to 1.
The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 64.233.180.28:

In the above screenshot I notice that all the malicious packets are generated by only one attacker
on three different victims having various ports as discussed above.
SYN+ACK Attack:

In this type of attack, the attacker uses a seldom seen reflection vector called TCP SYN+ACK
reflection. The attacker spoofs the SYN packet’s source IP addresses. This spoofing causes the
server to send SYN+ACK packet to the victim IP, which the server requested the session
initialization. In this network capture the attacker launches the TCP SYN+ACK attacks on five
different ports of the server (389, 445, 135, 49671, and 88). There are 89 packets consists of
SYN+ACK flag set to 1. The attacker’s IP address is 10.2.12.101 and the victim’s IP address is
10.2.12.12 as shown in the below screenshot:

TCP FIN Packets Attack:

After a successful three-way TCP-SYN session, FIN packets are exchanged by servers to close
the TCP-SYN session between a host and a client machine. In a FIN Flood attack, a target server
receives a large number of spoofed FIN packets that do not belong to any session on the target
server.

The attack tries to exhaust a server’s resources i.e., its RAM, CPU, etc. as the server tries to
process these invalid requests. The result is a server unavailable to process legitimate requests
due to exhausted resources.

The attacker’s IP address is 10.2.12.101 and the victim’s IP address is 10.2.12.12 there are 949
packets which consist of FIN flag set to 1 as shown in the below screenshot:
HTTP Analysis:

While examine the HTTP traffic by applying HTTP filter in the Wireshark I found that in the
HTTP packets there are also several malicious activities don by the attacker. In the HTTP
packets the attacker compromises the victim to download a .cab file which is a malware. In this
analysis the attacker compromises the same server as in TCP as shown in the below screenshots:
Analyzing the HTTP by following HTTP stream I found that the client sends a GET message to
the server and the server reply with a 200 OK message and download a malware as shown in the
below screenshot:

The below screenshot shows the load distribution of HTTP i.e., it shows the HTTP requests and responses
made by the servers.
HTTP Response Splitting Attack:

This is a protocol manipulation attack, same to Parameter Tampering attack. This attack is
authentic only for applications that utilize HTTP to exchange information. It works just as well
with HTTPS because the entry point is in the client recognizable data.
Identification of Initial Compromise:
Initially the attacker compromises the server using three protocols TCP, HTTP and NTP. The
attacker compromised the TCP SYN packets, ACK packets, SYN+ACK packets and FIN
packets. The attacker compromises the NTP protocol which is a DDoS amplification and led to
launch a DDoS attack. The attacker also compromises the HTTP GET to force the victim to
download the malware. The detail is given above with explanation. The screenshots show these
protocols, and we can verify that these three protocols are compromised by the attacker.
Attribution of The Attack:
As we can understand above on detail that there is only one attacker include in all the attacks
with IP address is 10.2.12.101 and a victim with IP address is 10.2.12.12. apart from this there
are two other IP addresses on which the attacker launched only TCP SYN flood attack whose IP
addresses are: 72.21.91.29 and 64.233.180.28. The ports on which the attacker lunched the
attacks are: 389, 445, 135, 49671, and 88 as shown in the below screenshots.
From all the above analysis I conclude that this is a DDoS attack. I also examine the I/O graph of
the captured traffic to more clarify the type of attack which is used in this capture. The below
screenshot that on two intervals of time the network creates a huge amount of data 3200 packets
per second and 2400 packets per second which is a best clarification of the attack type as it is a
DoS or DDoS attack.
Recommendation to the Forensic Investigations Team:

 My recommendations to the forensics team to mitigate all the above attacks are given
below it is not enough but if we deploy this it will be helpful for us to mitigate such
attacks.
 Keep up of both under control and outside arrangement to make sure that there is not one
source of error on the network.
 Large network perceptibility with the capability to watch and examine traffic from
various parts of the network
 Variable origin of hazard intellect, consisting statistical anomaly detection, customizable
threshold alerts and fingerprints of existing and appearing hazards in order to make sure
quick and correct detection
 Ascendible to superintend attacks of all types and sizes, starting from zero to high level.
 For NTP attacks we will keep an eye on NTP traffic; if there are UDP datagrams
communicate on port 123, then there will be chances of this NTP attack.
 To mitigate NTP attack we have to stop IP spoofing: ensure that the IP address of my
internet-facing assets cannot be spoofed by executing network security controls.
 The next step is stop or close UDP port 123 on our internet-facing assets if time
synchronization is not needed.
 To mitigate and prevent HTTP attacks, the most successful control is to minimize the
request rate of request origins. WAF furnishes the Rate Limiting function for this reason.
 Moreover, we can mitigate HTTP attacks by enabling captcha on websites, creating
strong authentication and access controls, configuring the access control and throttling
whitelist, scans the websites for malicious contents regularly etc.