Question 2 Why is it important for security analysts to understand how ICMP works and what normal ICMP activity looks like? to determine when ICMP is broken to spot misuses of TCP discovery packets and rogue devices to spot Denial of Service attacks to spot ARP Poisoning attacks Status: [object Object] 1 point
Added by Sebastian S.
Step 1
ICMP is primarily used for error messages and operational information exchange, such as ping requests and responses. Show more…
Show all steps
Your feedback will help us improve your experience
Akash M and 65 other AP CS educators are ready to help you.
Ask a new question
Labs
Want to see this concept in action?
Explore this concept interactively to see how it behaves as you change inputs.
Key Concepts
Recommended Videos
Texts: Basic attack analysis: 1. Look at captures no. 20 and 22. (You can use the "Go" link at the top of the Wireshark screen to quickly go to a specific capture.) Both packets are ICMP traffic, but there are subtle differences between them. Compare the time-to-live and data field sizes in the two packets. What differences do you see? 2. Do a little Internet research to discover which operating systems use the specific values in their ping commands. What operating system generated the echo request in capture 20? 3. Review packet no. 37 and beyond. What do you think is taking place here? 4. Look at capture 22846. What is suspicious about the flag settings in this packet? 5. What is the IP address of the host being targeted?
Akash M.
On a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address. The following are additional questions for this scenario: 1. What data sources might contain information regarding the identity of the vulnerability scanning host? 2. How would the team identify who had been performing the vulnerability scans? 3. How would the handling of this incident differ if the vulnerability scanning were directed at the organization's most critical hosts? 4. How would the handling of this incident differ if the vulnerability scanning were directed at external hosts? 5. How would the handling of this incident differ if the internal IP address was associated with the organization's wireless guest network? 6. How would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?
An analyst is reviewing the following output as part of an incident: ICMP ECHO REQUEST 192.168.1.10 -> 10.20.30.40 Length=10 ABCDEFGHIJ ICMP ECHO REQUEST 192.168.1.10 -> 10.20.30.40 Length=15 ABCDEFGHIJ ICMP ECHO REQUEST 192.168.1.10 -> 10.20.30.40 Length=20 ABCDEFGHIJ1234567890 Which of the following is MOST likely happening? - The hosts are part of a reflective denial-of-service attack. - Information is leaking from the memory of host 10.20.30.40. - Sensitive data is being exfiltrated by host 192.168.1.10. - Host 192.168.1.10 is performing firewall port knocking.
Recommended Textbooks
Computer Science and Information Technology
Introduction to Programming Using Python
Computer Science - An Overview
Transcript
18,000,000+
Students on Numerade
Trusted by students at 8,000+ universities
Watch the video solution with this free unlock.
EMAIL
PASSWORD