What is the major difference between the traffic under normal and flood attack situations? Explain in detail what you find.

WHAT IS A SYN FLOOD ATTACK? A SYN flood is a transport layer attack that exploits a weakness in the TCP network connection sequence. The sequence, called three-way handshake, normally works as follows: 1. The client initiates a TCP connection by sending the server a SYN packet. 2. The server adds this request to a SYN queue and sends the client a SYN-ACK packet with a sequence number. 3. The client responds with an ACK packet that includes the sequence number in the SYN-ACK. 4. The server uses the sequence number to look up the SYN queue entry with information about this connection request and sets up the connection. In a SYN flood attack, attackers send multiple SYN requests to a server but do not respond to the SYN- ACKs. Eventually the server's SYN queue fills up and the server stops servicing SYN requests. Even requests from legitimate clients are dropped, resulting in a Denial of Service (DoS). SYN queue entries without corresponding ACKs eventually time out and are removed. However, it is easy for clients to send SYN requests fast enough to keep the queue full, even as old entries time out.

LAB TASKS TASK 1: STUDY TCP TRAFFIC UNDER NORMAL OPERATING CONDITIONS Select the appropriate interface. Start packet capture. Use the display filter tcp (no quotations) to view TCP packets. TASK 2: STUDY A SYN FLOOD ATTACK In the next lab we will use programs in Python and C to launch SYN flood attacks. For this lab, we will use Wireshark to study the packets produced by a SYN flood attack at an earlier time. First we examine the traffic during the flood attack using a Python program. This traffic was saved in a Wireshark capture file. To view the capture file, do the following: Open the capture file FLOOD_PY.pcapng. Select the tcp display filter.

Lab report question #1: What is the major difference between the traffic under normal and flood attack situations? Explain in detail what you find.