02.235109 X.Y.Z.2.23 > X.Y.Z.2.23

21:49:02.235109 x.y.z.2.23 > x.y.z.2.23: S 4011917:4011917(0) win4096 (DF)Evaluation: Crafted syn packets sent to a server with the same source ip as the destination ip are only sent with the intent of denial of service on that host. Had this attack been successful, the host could have been locked up permanently and would probably have needed to be rebooted. Our routers are configured to extract these anomalies from our network so they cannot reach the intended target. The host was checked to make sure it was unaffected even though the packets were dropped before they reached their destination. Maybe some paranoia setting in.

IDIC – SANS GIAC LevelTwo

©2000, 2001

³⁵

Let’s summarize what we have discussed in this part of the course. In the common errors section we were reminded of our traffic analysis techniques to help us avoid errors in analysis. There may be more than one seemingly valid interpretation for a data pattern, but the analyst learns to play the odds, to make sure if the packet is a stimulus or a response.In the denial of service section, we learned to apply our understanding of how IP networking functions to assess the degree of asymmetry in an attack. We have seen that many DoS attacks are easy to identify. We also learned that sites can do their part to reduce attacks such as Smurf by doing two simple things:- Egress filtering- Blocking incoming broadcast ICMP echo requestsThank you for your attention and best of luck on your quiz.

IDIC - SANS GIAC LevelTwo

©2000, 2001

³⁶

v4.0 – S. Northcutt – February 2001