Analyze a SYN Flood Attack (credit to MindTap)

You are the security analyst for a small corporate network. You have heard complaints that the CorpServer (192.168.0.10) seems to be very unresponsive. You suspect that the server may be under a SYN attack.

In this lab, your task is to:

• Use Zenmap to find which ports on CorpServer (192.168.0.10) are open.
• Use Wireshark and the enp2s0 network interface to determine if the CorpServer is under a SYN attack.
• Analyze the packets captured.
• Answer the questions.

EXPLANATION

Complete this lab as follows:

1. From Zenmap, use nmap to find the open ports used on CorpServer.
   1. From the Favorites bar, select Zenmap.
   2. In the Command field, type nmap -p 0-100 192.168.0.10
   3. Select Scan.
   4. In the top right, select Answer Questions.
   5. Answer Question 1.
   6. Minimize the Lab Question dialog.
   7. Close Zenmap.
2. Capture SYN packets on the CorpServer machine.
   1. From the Favorites bar, select Wireshark.
   2. Under Capture, select enp2s0.
   3. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1
   4. Press Enter.
   5. Select the blue fin to start a Wireshark capture.
   6. Capture packets for a few seconds.
   7. From Wireshark, select the red box to stop the Wireshark capture.
   8. Maximize Wireshark for better viewing.
   9. 
      
   10. Analyze Wireshark data for signs of a SYN attack.
       1. Notice that only SYN packets were captured.
       2. Notice the time between each packet that was sent to host 192.168.1.10.
       3. Look for the port numbers being used in the SYN packets.
       4. Maximize the Lab Question dialog.
       5. Answer Questions 2 and 3.
   11. Locate the MAC address of the computer initiating the SYN flood attack.
       1. From the middle pane, expand Ethernet II.
          Notice the source MAC address of the computer sending the SYN flood.
       2. Answer Question 4.
       3. Select Score Lab.