This lab involved analyzing DNS and HTTP traffic using Wireshark to investigate suspicious network behavior. The goal was to identify any anomalies related to DNS queries, TCP communication, and HTTP requests, and to determine whether a cyber incident had occurred. The full log used for this analysis is available here: Wireshark Traffic Log .
While analyzing the traffic logs, I observed numerous TCP SYN packets being sent from a single source IP to the destination web server, suggesting a TCP SYN flood attempt. This pattern was coupled with repeated HTTP GET requests that targeted specific resources. The HTTP traffic appeared automated and possibly linked to a bot or malicious scanner.
The network behavior aligned with characteristics of a SYN flood attack targeting port 80, accompanied by automated HTTP requests possibly related to reconnaissance or denial-of-service activity. This lab reinforced my ability to dissect protocol-level activity, use packet filters effectively, and develop incident reports based on real packet data.