Confirming DoS Attack

The help desk is receiving reports of intermittent connections to a server.

A help desk technician suspects the server is unable to establish a three-way handshake due to a DoS attack.

Which of the following commands should a network administrator use to confirm the help desk technician's claim?

A.

nmap

B.

arp

C.

tcpdump

D.

dig.

C.

The correct answer is C. tcpdump.

A three-way handshake is a process used by TCP to establish a connection between two devices. It involves a SYN, SYN-ACK, and ACK packet exchange. If a server is unable to establish a three-way handshake, it may be due to a Denial of Service (DoS) attack. In this case, a network administrator can use the tcpdump command to confirm the help desk technician's claim.

tcpdump is a command-line packet capture tool that allows network administrators to capture and analyze network traffic. It can capture and display packets on a specific network interface, and filter packets based on various criteria, such as source and destination IP address, protocol, port, and more.

To use tcpdump to confirm a DoS attack, a network administrator can run the command with the appropriate filters, such as filtering on TCP SYN packets. This will allow the administrator to capture and analyze the packets exchanged during the three-way handshake. If a large number of SYN packets are being sent to the server, but no SYN-ACK packets are being received in response, this may indicate a DoS attack.

nmap is a port scanning tool used to discover hosts and services on a network. It is not directly useful for confirming a DoS attack.

arp is a command used to display and manipulate the Address Resolution Protocol (ARP) cache. It is not directly useful for confirming a DoS attack.

dig is a command used to perform DNS queries. It is not directly useful for confirming a DoS attack.