Computer Hacking Forensic Investigator (CHFI v10) — Question 225

Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?

Answer options

• A. Wireshark capture does not show anything unusual and the issue is related to the web application
• B. Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es)
• C. Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es)
• D. Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es)

Correct answer: C

Explanation

The correct answer is C because a SYN flood attack is characterized by a high volume of SYN requests without corresponding ACK responses, often leading to RST responses as the server cannot complete the handshake. Options A and B do not indicate the presence of a SYN flood attack, while option D suggests a normal connection establishment rather than an attack.