44 lines
1.4 KiB
Markdown
44 lines
1.4 KiB
Markdown
# Exercise 4
|
|
|
|
## 2. Metadata and Univariate Analysis
|
|
|
|
Discovered TCP-Flags and their percentages (rounded):
|
|
|
|
| TCP Flag | % |
|
|
|----------|-----:|
|
|
| S | 77.8 |
|
|
| A | 9.8 |
|
|
| RA | 5.3 |
|
|
|
|
|
|
|
|
#### Check carefully the top TCP-flag values discovered and their percentages. Does it make sense for you? Why? Make sure that you understand flag values, their use and meaning.
|
|
TODO
|
|
|
|
|
|
#### Does the TTL plot show mountain-like shapes? (see plot team13_ex4_2.jpeg). If so, can you figure out why?
|
|
Since the TTL can be implemented differently, it is normal, that the used TTLs differ. The TTL should be decremented after every HOP
|
|
(stations between source and target).
|
|
|
|
|
|
## 3. Bivariate Analysis
|
|
|
|
####
|
|
|
|
Think about it...
|
|
|
|
Check both flows required in [rep-23]. Can you indentify what kind of traffic it is in each case? Do you think that any of them might be malicious?
|
|
|
|
Important! Carefully consider the AGM vector again. Think the kind of flow values/profiles that you would get in the follow scenarios (remember that the AGM-vector can be configured to profile destinations as well as surces):
|
|
|
|
Horizontal scan.
|
|
Vertical scan.
|
|
Brute Force attack.
|
|
DDoS attack.
|
|
Backscatter.
|
|
Normal server.
|
|
Vulnerable, flooded server
|
|
|
|
You should be able to see that some of the previous traffic scenarios are quite easy to spot by using AGM vector, but not all of them.
|
|
|
|
TODO |