EC-Council CTT Analysis Workstation

Lab Scenario
"An attacker with malicious intent used SYN flooding technique to disrupt the network and bypass the firewall. The SOC team captured network traffic and provided a file for analysis. Analyze the capture and determine the source IP address of the attack."

Determine the source IP address responsible for the SYN flood attack.

  • A. 20.20.10.180
  • B. 20.20.10.19
  • C. 20.20.10.60
  • D. 20.20.10.59
Hint: Look for repeated SYN packets from the same source IP address targetting the same destination.
Explanation: A SYN flood attack is identified by repeated SYN packets from one source without following through with the ACK. In this capture, 20.20.10.19 is the attacker sending repeated SYN requests to disrupt service.
Packet Analyzer Tool
Loading Synflood.pcapng...
No Source IP Destination IP Protocol Info
1 20.20.10.19 20.20.10.26 TCP SYN
2 20.20.10.19 20.20.10.26 TCP SYN
3 20.20.10.60 20.20.10.26 TCP ACK
4 20.20.10.19 20.20.10.26 TCP SYN
5 20.20.10.180 20.20.10.26 TCP ACK