This repository contains an analysis of a network attack scenario involving a SYN Flood attack. The attack disrupted a travel agency's website by overwhelming the web server with a high volume of TCP SYN requests, leading to a denial of service for legitimate users. The goal of this analysis is to identify the attack, understand its impact, and suggest mitigation strategies.
As a security analyst for a travel agency, an automated alert indicated a problem with the web server. Upon investigation using a packet sniffer, a large number of TCP SYN requests from an unfamiliar IP address were detected. The web server was overwhelmed, leading to a connection timeout error for legitimate users. Temporary mitigation steps included taking the server offline to recover and blocking the malicious IP on the firewall.
- Wireshark: Used to capture and analyze network traffic, identifying abnormal patterns and detecting malicious activity.
A SYN Flood attack exploits the TCP three-way handshake by sending a large number of SYN packets without completing the handshake, which exhausts the server’s resources and prevents legitimate connections.
- Website downtime resulting in HTTP 504 Gateway Timeout errors
- Server resource exhaustion, leading to degraded performance
- Disrupted access for employees and customers
- Captured network traffic using Wireshark
- Identified excessive TCP SYN requests from a single IP
- Analyzed logs to confirm the attack pattern
- Temporarily took the server offline to recover
- Blocked the attacking IP via firewall rules
- Prepared a report for management on the incident
- Install Wireshark and capture network packets during an attack simulation.
- Analyze the traffic for unusual SYN request patterns.
- Implement mitigation strategies based on the findings.