Question:
Note: for this question, you need to download a PCAP file located in the course Moodle web site.
Peter is the Network Security Manager for a small spare parts business. The organisation uses an e-sales application to provide a front-end for its e-sales business. Customers are complaining that in the last two or three days the system has become very slow, taking them longer than normal to place their orders. This information has been corroborated by staff complaining that they are not happy with the slow response of the system to complete their daily activities. Peter suspects that the system has been the target of criminal hands and before he starts responding to the attack, he decides to investigate the issue a little further. First, he reviews the firewall logs and notices something abnormal in the type of traffic directed to a number of internal hosts including the organisation’s web server. Curious about this traffic, Peter uses Wireshark to capture a trace of the traffic. [A section of this trace can be accessed from the course Moodle web site].
Based on the above fictional scenario and the provided PCAP:
(a) Identify the anomaly in the traffic this organisation is going through. What sort of evidence do you have to make this claim?
(b) What sort of utility or tool do you think the “attacker” is using to conduct this attack?
(c) Provide the IP address of the host used by the perpetrator (1/2 Mark). Based on this information, what can you tell about the profile of this individual? Explain why (1.5 Marks).
(d) What Wireshark filter do you think Peter used to produce the given PCAP? Explain why