Challenge 07 • Network Attack & Firewall Detection

Understanding Network Attacks & Port Scanning

Network attacks begin with reconnaissance - attackers scan targets to identify open ports, services, and potential vulnerabilities. Firewalls and intrusion detection systems are the first line of defense against these attacks.

🔍 Port Scanning Techniques

TCP SYN Scan: Sends SYN packets without completing handshake (stealthy, most common)

TCP Connect Scan: Completes full 3-way handshake (noisier, easier to detect)

UDP Scan: Probes UDP ports (slower, used for DNS, SNMP discovery)

FIN/NULL/Xmas Scans: Stealth scans using unusual flag combinations

🔥 UFW (Uncomplicated Firewall)

Purpose: Frontend for iptables, default firewall on Ubuntu/Debian

Log Format: [UFW BLOCK] IN=eth0 SRC=attacker_ip DST=server_ip PROTO=TCP DPT=port

What to Look For: Repeated blocks from same IP, sequential port scanning, unusual protocols

🚫 Fail2Ban

Purpose: Monitors logs and automatically bans IPs showing malicious behavior

How It Works: Scans auth logs, detects failed login patterns, creates iptables rules to block

Common Jails: sshd, nginx-http-auth, apache-auth, recidive (repeat offenders)

Attack Detection Patterns

🚨 Port Scan Indicators

Sequential port numbers (1-65535)
Rapid connection attempts (hundreds/sec)
SYN packets without ACK responses
Connections to uncommon ports
Same source IP, multiple destinations

💥 DDoS/Flood Patterns

High packet rate from single/multiple IPs
SYN floods (half-open connections)
UDP floods to single port
ICMP floods (ping of death)
Resource exhaustion attempts

🔓 Brute-Force Detection

Repeated failed auth attempts
Dictionary/credential stuffing
Connections to SSH (22), RDP (3389)
Same IP, multiple usernames
Fail2ban automatic bans

🎯 Service Enumeration

Banner grabbing attempts
Version detection scans
OS fingerprinting
Common service ports (21, 22, 80, 443)
Management interfaces (8080, 8443)

Investigation Commands

# Analyze firewall blocks
grep "BLOCK" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | sort -rn

# Count connections per IP
grep "SRC=" /var/log/ufw.log | grep -oP 'SRC=\K[0-9.]+' | sort | uniq -c | sort -rn

# Find most targeted ports
grep "DPT=" /var/log/ufw.log | grep -oP 'DPT=\K[0-9]+' | sort | uniq -c | sort -rn

# Check fail2ban bans
grep "Ban" /var/log/fail2ban.log

💡 Defense Tip: Implement rate limiting, use fail2ban for automated blocking, enable SYN cookies for DDoS protection, and configure geographic IP blocking for non-essential regions.

Evidence Review

🔥 /var/log/ufw.log (Firewall Blocks) Click lines to tag as evidence

🚫 /var/log/fail2ban.log

📊 Connection Statistics

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run bash commands to analyze the logs. Available: cat, grep, wc, awk, sort, uniq, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 10

Task 1 — Attacker IP Address

✓ Correct Answer:

203.0.113.45

UFW logs show repeated connection attempts from 203.0.113.45. This IP appears in over 1200 firewall blocks across multiple ports - clear indicator of port scanning activity.

Task 2 — Total Blocked Connections

✓ Correct Answer:

1247

Connection statistics show 1247 blocked attempts from the attacker IP. Count all [UFW BLOCK] entries from 203.0.113.45 in the logs.

Task 3 — Scan Type/Pattern

✓ Correct Answer:

SYN scan

UFW logs show PROTO=TCP with SYN flags. This is a TCP SYN scan (nmap -sS) - the most common stealth port scanning technique. Attacker sends SYN packets without completing handshake.

Task 4 — Port Range Scanned

✓ Correct Answer:

1-1024

Logs show sequential DPT (destination port) values from 1 to 1024. This is the "well-known ports" range containing most common services (HTTP, SSH, FTP, etc.). Attacker is doing service discovery.

Task 5 — Most Targeted Port

✓ Correct Answer:

Statistics show port 22 (SSH) received the most connection attempts - 87 blocked connections. After port scan, attacker focused on SSH for potential brute-force attack.

Task 6 — Fail2Ban Jail Triggered

✓ Correct Answer:

sshd

fail2ban.log shows: "Ban 203.0.113.45" from jail "sshd". After port scan, attacker attempted SSH brute-force which triggered automatic banning after threshold exceeded.

Task 7 — Ban Duration (seconds)

✓ Correct Answer:

3600

fail2ban.log indicates ban time of 3600 seconds (1 hour). This is the default bantime for sshd jail. IP is blocked from all connections for this duration.

Task 8 — Attack Start Time

✓ Correct Answer:

Nov 28 18:45

First UFW block from 203.0.113.45 appears at "Nov 28 18:45:12". This marks the beginning of the port scanning reconnaissance phase.

Task 9 — Scanning Tool Used (likely)

✓ Correct Answer:

nmap

Sequential TCP SYN scan pattern across well-known ports (1-1024) is signature of nmap -sS -p1-1024. Nmap is the most popular port scanner used by attackers and security professionals.

Task 10 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1046

T1046 = Network Service Discovery (formerly Network Service Scanning). Attackers scan for open ports and services to identify potential attack vectors during reconnaissance phase.

XP: 0 / 1000

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Attack Chain Reconstruction

Complete all tasks to reveal the attack chain.

Incident Summary

Attack type: —
Attacker IP: —
Scan pattern: —
Port range: —
Total blocks: —
Most targeted: —
Tool used: —
Fail2ban action: —
Ban duration: — seconds
MITRE ATT&CK: —

Recommended Remediation

Immediate: Verify 203.0.113.45 is banned, check for successful connections, review SSH auth logs
Investigation: Threat intel lookup on attacker IP, check for other IPs from same subnet, review application logs
Hardening: Reduce fail2ban threshold, enable port knocking for SSH, implement geographic blocking
Long-term: Deploy IDS/IPS (Suricata, Snort), use cloud WAF, implement rate limiting, disable unused services

Why This Attack Failed

The attack was detected and blocked because:
✅ UFW firewall blocked non-whitelisted ports
✅ Fail2ban automatically banned IP after SSH brute-force attempts
✅ Port scan pattern was logged for forensic analysis
✅ No services exposed on non-standard ports
✅ SSH configured with strong authentication (likely key-based)

Attack Kill Chain

Phase 1: Reconnaissance - Port scan to identify services (18:45)
Phase 2: Targeting - Focus on SSH service (port 22)
Phase 3: Exploitation Attempt - SSH brute-force (failed, banned)
Result: Attack stopped by automated defenses before compromise

🛡️ Challenge 07 • Network Attack & Firewall Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Network Attacks & Port Scanning

🔍 Port Scanning Techniques

🔥 UFW (Uncomplicated Firewall)

🚫 Fail2Ban

Attack Detection Patterns

🚨 Port Scan Indicators

💥 DDoS/Flood Patterns

🔓 Brute-Force Detection

🎯 Service Enumeration

Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Attack Chain Reconstruction

Incident Summary

Recommended Remediation

Why This Attack Failed

Attack Kill Chain