Scan 21
This
month's challenge is to make sense of a seemingly innocuous flurry of UDP
packets. All submissions are due no later then
Skill
Level: Intermediate
The Challenge:
On the evening of
Feb 15th, three different members of the Honeynet
Research Alliance received a flurry of strange UDP packets, that at first look
seemed to have no apparent purpose. This month's Scan of the Month challenge is
to understand the purpose of these packets. Using the Snort binary capture of
one of the Honeynets, answer the following questions.
The Honeynet that is scanned is on the 172.16.1.0/24
network. Also, keep in mind these packets were recorded on a system in the GMT timezone. When reviewing this binary capture on your
system, it may convert the times of the packet captures to the local timezone of your system. Send all submissions to sotm@honeynet.org
Download:
0215@000-snort.log.tar.gz
MD5 = 58abd0cb0cbe4c31930225dd229352a5
- What is the attacker attempting to achieve?
- How does UDP work to achieve this purpose?
- Why is the attacker using random src
and dst UDP ports and random IP addresses?
- Are all the packets originating from the same machine
or different ones?
- How can the attacker view the responses to his probes?
Bonus
Question:
- Can the attacker fingerprint the OS of the victim
systems?
The Results:
This months judging and team write-up were done by the Honeynet
Research Alliance, specifically Paladion
Networks' Honeynet Research team.
Writeup from the Honeynet
Project / Honeynet Research
Paladion Networks
Writeup from the Security Community.
Best Entry
Next 10 Entries
Ian Cuthbertson
Javier Fernández-Sanguino
Peña
Justin Wright
Marek Gutkowski
Bo Adler
Dan MacDonald
