Digital Forensic Certification Practice Exam

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the Digital Forensic Certification Exam with our comprehensive quiz featuring flashcards and multiple choice questions, all accompanied by insightful hints and explanations. Elevate your readiness for success!

Start Multiple Choice Practice Test
Start Flash Cards

Practice this question and more.

Which Wireshark filter is used to detect a SYN-FIN flood DoS attack?

  1. tcp.flags==0X002

  2. tcp.flags==0X000

  3. tcp.flags==0X003

  4. tcp.flags==0X004

The correct answer is: tcp.flags==0X003

The detection of a SYN-FIN flood Denial of Service (DoS) attack requires an understanding of TCP flags and their combinations. In TCP, the SYN flag is used to initiate a connection, while the FIN flag indicates the termination of a connection. In a SYN-FIN flood attack, the attacker sends packets with both the SYN and FIN flags set. This is abnormal because a legitimate TCP handshake would not include both flags in the same packet; a packet should typically have either a SYN flag to start a connection or a FIN flag to close it, but not both simultaneously. The filter that correctly identifies this scenario is one that checks for packets with the SYN and FIN flags both set, represented in hexadecimal as 0x003. This value combines the SYN (0x002) and FIN (0x001) flags, indicating that a SYN-FIN packet is being sent. Thus, using the filter for tcp.flags==0x003 enables the detection of SYN-FIN flood attacks, distinguishing them from normal connection attempts and helping forensic analysts identify and mitigate such attacks in a network environment.

More Questions Like This