Scenario 1: Domain Name System (DNS) Server Denial of Service (DoS) On a Saturda

Question

Scenario 1: Domain Name System (DNS) Server Denial of Service (DoS) On a Saturday afternoon, external users start having problems accessing the organization's public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organization's networking staff responds to alerts from an Internet border router and determines that the organization's Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organization's public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port The following are additional questions for this scenario: 1. Whom should the organization contact regarding the external IP address in question? 2. Suppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident? Suppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified? 3.

Explanation / Answer

1)Organization should contact ISP(Internet Servic Provider).

2)To block traffic from the external IP address we can implement firewall,whch can block unnecessary traffic based on source and destination IP addresses,packet payloads, port numbers, and protocols.The unuasal activity occured internally in the network may be due to some malware. To block unusual activity internally we have to identify the compromised devices in the internal network and should prevent that malware from compromising further devices in the local network by using some malware prevention techniques.

3)DHCP(Dynamic host configuration protocol) is a mechanism for assigning IP addresses to LAN devices, so that they can communicate with other stations on the local network, as well as with systems across internetworked connections. DHCP will provide automated IP address assignments, which could change dynamically as needed. To identify the two hosts disconnected from the network ?rst task is to identify and/or physically locate the device based on its IP address. When DHCP servers assign IP addresses, they typically create a log of the event, which includes the assigned IP address, the MAC address of the device receiving the IP address. Other details, such as the requesting system’s hostname, may be logged as well. Consequently, DHCP logs helps an investigator to find which physical network card was assigned the IP address.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.