Write an incident report
Write an incident report
Embedded Files
In this activity, I consider a scenario involving customers of a company experiencing a security issue when accessing the company’s website. The incident report explains the likely cause of the service interruption, how the attack occurred, and its negative impact on the website. This scenario is a simulation to demonstrate my skills and all confidential data are masked to protect privacy and safety.
A travel agency advertises sales and promotions on the company’s website. The employees of the company regularly access the company’s sales webpage to search for vacation packages their customers might like. One afternoon, a security analyst of the company received an automated alert from a monitoring system indicating a problem with the web server. The security analyst attempted to visit the company’s website but received a connection timeout error message in the browser.
Then, a packet sniffer was utilised to capture data packets in transit to and from the web server.
Let's understand the normal transactions between a website visitor and the web server. The TCP handshake process takes a few milliseconds to complete. Then, I can identify the website visitor’s browser requesting the sales.html webpage using the HTTP protocol at the application level of the TCP/IP model. Followed by the web server responding to the request. The below image shows traffic logs of normal transactions between a website visitor and the web server.
The security analyst noticed the web server stopped responding to legitimate employee visitor traffic. Let's understand captured network traffic logs to and from the web server that did not respond to website visitors.
The website visitors received error messages indicating that they could not establish or maintain a connection to the web server. From log item number 125 on, the web server stopped responding. The only items logged at that point were from the attack. As there was only one IP address attacking the web server, it can be assumed that this was a direct DoS SYN flood attack. The web server appeared to be overwhelmed by the volume of incoming traffic and is losing its ability to respond to the abnormally large number of SYN requests. The security analyst suspected the server was under attack by a malicious actor.
The security analyst took the server offline temporarily so that the machine could recover and return to a normal operating status. Then, the security analyst configured the company’s firewall to block the IP address that was sending the abnormal number of SYN requests. An attacker can spoof IP addresses to get around this block so an IP blocking solution won’t last long. The security analyst needs to alert his/her manager about this problem quickly and discuss the next steps to stop this attacker and prevent this problem from happening again. Therefore, the security analyst prepared the below report to tell his/her boss about the type of attack that was discovered and how it was affecting the web server and employees.
Section 1: Identify the type of attack that may have caused this network interruption
Section 1: Identify the type of attack that may have caused this network interruption
One potential explanation for the website’s connection timeout error message is a DoS attack. The logs show that the web server stops responding after it is overloaded with SYN packet requests. This event could be a type of DoS attack called SYN flooding.
Section 2: Explain how the attack is causing the website malfunction
Section 2: Explain how the attack is causing the website malfunction
When the website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol. The handshake consists of three steps:
A SYN packet is sent from the source to the destination, requesting to connect.
The destination replies to the source with a SYN-ACK packet to accept the connection request. The destination will reserve resources for the source to connect.
A final ACK packet is sent from the source to the destination acknowledging the permission to connect.
In the case of a SYN flood attack, a malicious actor sends a large number of SYN packets all at once, which overwhelms the server’s available resources to reserve for the connection. When this happens, there are no server resources left for legitimate TCP connection requests.
The logs indicate that the web server has become overwhelmed and is unable to process the visitors’ SYN requests. The server is unable to open a new connection to new visitors who receive a connection timeout message.
Google Sites
Report abuse