Graded Assignment
Activity: Analyze network layer communication
活動:分析網路層通訊
Assignment details 作業詳情
Attempts 嘗試次數
Unlimited 無限制
Your grade
You haven’t submitted this yet. We keep your highest score.
Not available
Activity: Analyze network layer communication
Practice Assignment • 30 min
Question 1 of 1
Activity Overview 活動概述
In this activity, you will analyze DNS and ICMP traffic in transit using data from a network protocol analyzer tool. You will identify which network protocol was utilized in assessment of the cybersecurity incident.
在此活動中,您將使用網路協議分析工具的數據來分析正在傳輸的 DNS 和 ICMP 流量。您將識別在網路安全事件評估中使用了哪種網路協議。
In the internet layer of the TCP/IP model, the IP formats data packets into IP datagrams. The information provided in the datagram of an IP packet can provide security analysts with insight into suspicious data packets in transit.
在 TCP/IP 模型的網際網路層,IP 將數據包格式化為 IP 數據報。IP 數據包中的數據報所提供的信息可以讓安全分析師洞察到正在傳輸中的可疑數據包。
Knowing how to identify potentially malicious traffic on a network can help cybersecurity analysts assess security risks on a network and reinforce network security.
了解如何識別網路上的潛在惡意流量可以幫助網路安全分析師評估網路上的安全風險並加強網路安全。
Be sure to complete this activity before moving on. The next course item will provide you with a completed exemplar to compare to your own work.
請務必在繼續之前完成此活動。下一個課程項目將提供一個完成的範例,供您與自己的工作進行比較。
Scenario 情境
Review the scenario below. Then complete the step-by-step instructions.
檢視以下情境。然後完成逐步指導。
You are a cybersecurity analyst working at a company that specializes in providing IT services for clients. Several customers of clients reported that they were not able to access the client company website www.yummyrecipesforme.com, and saw the error “destination port unreachable” after waiting for the page to load.
您是一名在專門為客戶提供 IT 服務的公司工作的網路安全分析師。客戶的幾位顧客報告說,他們無法訪問客戶公司的網站 www.yummyrecipesforme.com,並在等待頁面加載後看到「目的地端口不可達」的錯誤。
You are tasked with analyzing the situation and determining which network protocol was affected during this incident. To start, you attempt to visit the website and you also receive the error “destination port unreachable.” To troubleshoot the issue, you load your network analyzer tool, tcpdump, and attempt to load the webpage again. To load the webpage, your browser sends a query to a DNS server via the UDP protocol to retrieve the IP address for the website's domain name; this is part of the DNS protocol. Your browser then uses this IP address as the destination IP for sending an HTTPS request to the web server to display the webpage The analyzer shows that when you send UDP packets to the DNS server, you receive ICMP packets containing the error message: “udp port 53 unreachable.”
您負責分析情況並確定在此事件中受影響的網路協定。首先,您嘗試訪問該網站,並收到錯誤訊息「目的地端口不可達」。為了排除問題,您啟動網路分析工具 tcpdump,並再次嘗試加載網頁。為了加載網頁,您的瀏覽器通過 UDP 協定向 DNS 伺服器發送查詢,以獲取網站域名的 IP 地址;這是 DNS 協定的一部分。然後,您的瀏覽器使用此 IP 地址作為目的地 IP,向網頁伺服器發送 HTTPS 請求以顯示網頁。分析工具顯示,當您向 DNS 伺服器發送 UDP 封包時,您收到包含錯誤訊息的 ICMP 封包:「udp port 53 unreachable」。
In the tcpdump log, you find the following information:
在 tcpdump 日誌中,你發現以下資訊:
The first two lines of the log file show the initial outgoing request from your computer to the DNS server requesting the IP address of yummyrecipesforme.com. This request is sent in a UDP packet.
日誌檔案的前兩行顯示了從您的電腦發出的初始請求,向 DNS 伺服器請求 yummyrecipesforme.com 的 IP 地址。此請求是通過 UDP 封包發送的。The third and fourth lines of the log show the response to your UDP packet. In this case, the ICMP 203.0.113.2 line is the start of the error message indicating that the UDP packet was undeliverable to port 53 of the DNS server.
日誌的第三和第四行顯示了對您 UDP 封包的回應。在這種情況下,ICMP 203.0.113.2 行是錯誤訊息的開始,表示 UDP 封包無法傳送到 DNS 伺服器的 53 端口。In front of each request and response, you find timestamps that indicate when the incident happened. In the log, this is the first sequence of numbers displayed: 13:24:32.192571. This means the time is 1:24 p.m., 32.192571 seconds.
在每個請求和回應的前面,您會看到時間戳,指示事件發生的時間。在日誌中,這是顯示的第一組數字:13:24:32.192571。這表示時間是下午 1:24,32.192571 秒。After the timestamps, you will find the source and destination IP addresses. In the first line, where the UDP packet travels from your browser to the DNS server, this information is displayed as: 192.51.100.15 > 203.0.113.2.domain. The IP address to the left of the greater than (>) symbol is the source address, which in this example is your computer’s IP address. The IP address to the right of the greater than (>) symbol is the destination IP address. In this case, it is the IP address for the DNS server: 203.0.113.2.domain. For the ICMP error response, the source address is 203.0.113.2 and the destination is your computers IP address 192.51.100.15.
在時間戳之後,您會看到來源和目的地的 IP 地址。在第一行中,當 UDP 數據包從您的瀏覽器傳送到 DNS 伺服器時,這些信息顯示為:192.51.100.15 > 203.0.113.2.domain。大於(>)符號左邊的 IP 地址是來源地址,在此例中是您電腦的 IP 地址。大於(>)符號右邊的 IP 地址是目的地 IP 地址。在這個例子中,它是 DNS 伺服器的 IP 地址:203.0.113.2.domain。對於 ICMP 錯誤回應,來源地址是 203.0.113.2,而目的地是您電腦的 IP 地址 192.51.100.15。After the source and destination IP addresses, there can be a number of additional details like the protocol, port number of the source, and flags. In the first line of the error log, the query identification number appears as: 35084. The plus sign after the query identification number indicates there are flags associated with the UDP message. The "A?" indicates a flag associated with the DNS request for an A record, where an A record maps a domain name to an IP address. The third line displays the protocol of the response message to the browser: "ICMP," which is followed by an ICMP error message.
在來源和目的地 IP 地址之後,可能會有一些額外的細節,如協議、來源的埠號和標誌。在錯誤日誌的第一行中,查詢識別號顯示為:35084。查詢識別號後的加號表示有與 UDP 消息相關的標誌。"A?"表示與 DNS 請求 A 記錄相關的標誌,其中 A 記錄將域名映射到 IP 地址。第三行顯示了回應消息給瀏覽器的協議:"ICMP",接著是一個 ICMP 錯誤消息。The error message, "udp port 53 unreachable" is mentioned in the last line. Port 53 is a port for DNS service. The word "unreachable" in the message indicates the UDP message requesting an IP address for the domain "www.yummyrecipesforme.com" did not go through to the DNS server because no service was listening on the receiving DNS port.
錯誤訊息「udp port 53 unreachable」在最後一行中提到。端口 53 是 DNS 服務的端口。訊息中的「unreachable」表示請求「www.yummyrecipesforme.com」的 IP 地址的 UDP 訊息未能傳送到 DNS 伺服器,因為接收的 DNS 端口上沒有服務在監聽。The remaining lines in the log indicate that ICMP packets were sent two more times, but the same delivery error was received both times.
日誌中的其餘行表示 ICMP 封包又發送了兩次,但兩次都收到相同的傳送錯誤。
Now that you have captured data packets using a network analyzer tool, it is your job to identify which network protocol and service were impacted by this incident. Then, you will need to write a follow-up report.
現在您已經使用網路分析工具捕獲了數據包,您的工作是識別此次事件中受影響的網路協議和服務。接著,您需要撰寫一份後續報告。
As an analyst, you can inspect network traffic and network data to determine what is causing network-related issues during cybersecurity incidents. Later in this course, you will demonstrate how to manage and resolve incidents. For now, you only need to analyze the situation.
作為分析師,您可以檢查網路流量和網路數據,以確定在網路安全事件中是什麼導致了網路相關問題。在本課程的後續部分,您將展示如何管理和解決事件。目前,您只需要分析情況。
This event, in the meantime, is being handled by security engineers after you and other analysts have reported the issue to your direct supervisor.
在此期間,安全工程師正在處理此事件,因為你和其他分析師已經向你的直接主管報告了這個問題。
Step-By-Step Instructions
逐步指導
Follow the instructions and answer the question below to complete the activity. Then, go to the next course item to compare your work to a completed exemplar.
按照指示並回答下列問題以完成此活動。然後,前往下一個課程項目,將您的工作與完成的範例進行比較。