1) Network traffic analysis shows that a single host is opening hundreds of SSH sessions to a single host every minute.
a. The large number of attempted connections each minute suggests this is an attempted denial of service attack. This type of attack attempts to overload network resources with illegitimate traffic to deny service to legitimate users or business needs. IDS and IPS devices can detect all of this traffic, and the IPS can drop (or have border network devices such as firewalls drop) these packets to prevent the attack from succeeding.
2) Network traffic shows that hundreds of hosts are constantly sending only SYN packets to a single Web server on campus.
a. This type of traffic suggests a SYN flood attack, which according to Techtarget (http://searchsecurity.techtarget.com/definition/SYN-flooding) is when half-open connections are attempted by the user only sending SYN packets. The server will respond with SYN/ACK packets (on open ports), but the client ignores them and re-sends SYN packets. This means the server cannot handle legitimate traffic when needed. Similar to #1 above, IDS and IPS devices can detect all of this traffic and an IPS can drop the packets before they get to the target server after the pattern is recognized as an attack. 3) A system administrator reports that a single host is attempting to …show more content…
This is a textbook phishing attack – which is when a malicious user attempts to gain information (such as username/password combinations) by pretending to be a legitimate entity (in this case, the campus helpdesk). The ultimate goal for a malicious user in this scenario is to gain legitimate credentials. IDS/IPS devices are not normally capable of detecting this type of attack. As a result, it would be more effective for us to employ specific spam filters on the network (such as from vendor Barracuda: https://www.barracuda.com/assets/docs/Datasheets/Barracuda_Spam_Firewall_DS_US.pdf) to block spam emails from reaching College
a. The large number of attempted connections each minute suggests this is an attempted denial of service attack. This type of attack attempts to overload network resources with illegitimate traffic to deny service to legitimate users or business needs. IDS and IPS devices can detect all of this traffic, and the IPS can drop (or have border network devices such as firewalls drop) these packets to prevent the attack from succeeding.
2) Network traffic shows that hundreds of hosts are constantly sending only SYN packets to a single Web server on campus.
a. This type of traffic suggests a SYN flood attack, which according to Techtarget (http://searchsecurity.techtarget.com/definition/SYN-flooding) is when half-open connections are attempted by the user only sending SYN packets. The server will respond with SYN/ACK packets (on open ports), but the client ignores them and re-sends SYN packets. This means the server cannot handle legitimate traffic when needed. Similar to #1 above, IDS and IPS devices can detect all of this traffic and an IPS can drop the packets before they get to the target server after the pattern is recognized as an attack. 3) A system administrator reports that a single host is attempting to …show more content…
This is a textbook phishing attack – which is when a malicious user attempts to gain information (such as username/password combinations) by pretending to be a legitimate entity (in this case, the campus helpdesk). The ultimate goal for a malicious user in this scenario is to gain legitimate credentials. IDS/IPS devices are not normally capable of detecting this type of attack. As a result, it would be more effective for us to employ specific spam filters on the network (such as from vendor Barracuda: https://www.barracuda.com/assets/docs/Datasheets/Barracuda_Spam_Firewall_DS_US.pdf) to block spam emails from reaching College