Wireshark for security and mitigation.

In this blog:

• Wireshark in the security setting.

• The TCP handshake.

• What are DOS attacks?

• SYN flood attacks.

• Uncovering SYN flood attacks.

• Uncovering geo-location of DOS attacks.

• Map view.

• What's next?

➡️ See my blog on Wireshark basics here.

➡️ See my blog on my favourite Wireshark alternative (TCPdump) here.

Wireshark in the security setting

Wireshark can be used as a network trouble-shooter and as a tool for hackers to carry out attacks such as ARP poisoning or SYN flood attacks (also known as Denial-of-Service attacks).

The platform can also be used by security researchers to find evidence of such attacks taking place on the network layer.

As a packet sniffer, Wireshark can listen for packets but cannot send any out which means it is not a vulnerability scanner.

However, it can display packets in real time and offer insight on how each source IP interacts on the network.

This is usually enough to expose an active attack on the network.

Saving packet capture files also allows Wireshark to be used effectively during forensics and report writing in the security department where evidence of network behaviour is necessary.

The TCP handshake

Working on the 4th layer of the OSI model, the TCP 3-way handshake takes place between a client and server.

The handshake can be visualised properly using Wireshark, see my Wireshark introduction here.

But what basically happens is that the client wishing to connect to a server sends the server a SYN packet to initiate a connection.

The server then responds with a SYN/ACK packet to acknowledge that the request has been received and accepted.

The client then responds with an ACK packet to finalise the process and start a TCP connection with the server, allowing dialogue between the two.

What are DOS attacks?

DOS attacks are carried out by what's known as bots which are internet-connected machines or IOTs that are infected with malware, allowing them to be controlled remotely.

These machines together are known as a botnet. Each device is remotely controlled and can be given commands from the attacker.

A command can be given to send requests to the target server's IP address.

When hundreds, if not thousands of machines send requests to one server, it can overwhelm the network and cause a denial of service situation where the network is unable to process legitimate requests.

It's hard to know which request is from the attack or not as each one comes from a legitimate internet device.

SYN flood attacks

SYN flood attacks are a type of DOS attack and occur when the server is sent too many requests at once.

The TCP handshake process is exploited (communication initiation process between two computers).

The server is sent SYN packets by the client to request a initiation in communication between the two devices.

The server then responds back with SYN/ACK packets and temporarily leaves a port open to receive the response from the client.

The server waits for the ACK message from the client which confirms that the request has been received and the connection can begin.

The ACK message never actually arrives and the attacker sends more SYN packets from spoofed IP addresses which makes the server open more temporary ports for a response to the request.

When all available ports are utilised, the server's resources are exhausted and is unable to function properly.

Uncovering SYN flood attacks

I will be using a PCAP file from Chris Greer.

The image below shows my Wireshark profile as Wireshark masterclass, which is just the settings that have been set to make the display look how it does.

Looking at the traffic, you can see that we are receiving thousands of SYN request packets before we even reach the one second mark. In fact throughout this whole PCAP, we never reach one second.

This indicates an immense number of packets being sent to the server at once and is a sign of a DOS attack.

The image below shows all the endpoints for each IP address.

What's weird here is that almost every connection consists of only one packet and as we saw before, these are the single SYN packets.

Uncovering geo-location of DOS attacks

To use the geo-location service in Wireshark, I will be using Maxmind which is a service which accumulates a database of geo-location which we can download and point Wireshark to, to find the information we need.

Go to Maxmind and create an account. I created a GeoLite2 account which is free.

Once the account has been created, go to download files.

Download the 3 binary files in the mmdb (maxmind database) format instead of the CSV format.

I compressed the three files into a zip file so I can point Wireshark to just one file.

In Wireshark, if your on a Linux or Windows system like me, go to

edit ➡️ preferences ➡️ name resolution.

Scroll down to MaxMind database directories.

Add the tar files into the database paths. It would be easier to move them all into one file and point Wireshark to this file.

Click OK and restart Wireshark.

In the packet information section ➡️

right click the GEOIP country code ➡️ Apply as column.

Then ➡️

right click the GEOIP country code ➡️ prepare as filter ➡️ selected.

Now you can see that the Great Britain country code has been applied as a filter and Wireshark now shows all packets that originated from Britain.

Map view

To see the packet sources on a map, go to ➡️

statistics ➡️ endpoints ➡️ IPV4.

Then click the map button. Open the map in the browser.

What's next?

This blog was just a introduction to the GEOIP feature in Wireshark and its ability to identify potential network attacks.

To see more about how all this works, watch this

video by David Bombal and Chris Greer.