CompTIA Security+ (SY0-501) — Question 538

A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an command to discover if the web server is up and listening. The analyst receives the following output:
TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT
Which of the following types of attack is the analyst seeing?

Answer options

• A. Buffer overflow
• B. Domain hijacking
• C. Denial of service
• D. ARP poisoning

Correct answer: C

Explanation

The correct answer is C, Denial of service, as the TIME_WAIT connections suggest an overwhelming number of requests, which is characteristic of a DoS attack. The other options, such as buffer overflow, domain hijacking, and ARP poisoning, do not typically manifest as a high number of connections in the TIME_WAIT state.