Analyze a DDoS Attack

 

Correct answer: There are multiple source addresses for the SYN packets with the destination address 128.28.1.1.

Complete this lab as follows:

1. From the Favorites bar, open Wireshark.
2. Under Capture, select enp2s0.
3. From the menu, select the blue fin to begin the capture.
4. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag.
   You may have to wait several seconds before any SYN-ACK packets are captured and displayed.
5. Select the red square to stop the capture.
6. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag.
   Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that were not being acknowledged.
7. In the top right, select Answer Questions.
8. Answer the question.
9. Select Score Lab.