https://github.com/compcode1/incident-report-2

The logs show that an unusually large number of SYN packets were sent to the web server from the attacker’s IP address (203.0.113.0). The web server struggled to keep up with the overwhelming SYN requests, as reflected in the increasing number of failed communications and error messages.
https://github.com/compcode1/incident-report-2

Last synced: 10 months ago
JSON representation

The logs show that an unusually large number of SYN packets were sent to the web server from the attacker’s IP address (203.0.113.0). The web server struggled to keep up with the overwhelming SYN requests, as reflected in the increasing number of failed communications and error messages.

• Host: GitHub
• URL: https://github.com/compcode1/incident-report-2
• Owner: Compcode1
• License: gpl-3.0
• Created: 2024-11-19T19:37:06.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-11-19T19:49:03.000Z (about 1 year ago)
• Last Synced: 2024-11-19T20:33:42.921Z (about 1 year ago)
• Language: Jupyter Notebook
• Size: 0 Bytes
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
I work as a security analyst for a travel agency that advertises sales and promotions on the company’s website. The employees of the company regularly access the company’s sales webpage to search for vacation packages their customers might like. 

One afternoon, I receive an automated alert from my monitoring system indicating a problem with the web server. I attempt to visit the company’s website, but  receive a connection timeout error message in my browser.

I use a packet sniffer to capture data packets in transit to and from the web server. I notice a large number of TCP SYN requests coming from an unfamiliar IP address. The web server appears to be overwhelmed by the volume of incoming traffic and is losing its ability to respond to the abnormally large number of SYN requests. I suspect the server is under attack by a malicious actor. 

I take the server offline temporarily so that the machine can recover and return to a normal operating status. I also configure the company’s firewall to block the IP address that was sending the abnormal number of SYN requests. I know that the IP blocking solution won’t last long, as an attacker can spoof other IP addresses to get around this block. I need to alert my manager about this problem quickly and discuss the next steps to stop this attacker and prevent this problem from happening again. I will need to be prepared to tell my boss about the type of attack I discovered and how it was affecting the web server and employees.