Assignment Task
Overview
In this task we will use Nfsdump and Argus to examine firewall and flow records, to determine what happened during an attack.
Having examined the firewall logs, we will now look at the internal flows of our network. Using your knowledge of the IP that was attacked, and the NAT table above, see if you can see any unusual network flows in the internal traffic. You can discount all traffic on ports 53 and 514 as administrative.
Look through the list of events. The attack here went through two stages. What were those stages? If there was any success, what IP addresses were victimized? What application do you think was involved here?
Questions
What were the stages of the attack?
What IPs were involved?
How did the attacker try to make use of any open ports?
Was the attacker successful?