Safeguard Network  «Prev  Next»
Lesson 10 Identifying suspicious activity
Objective Describe the various types of activities and attacks to which an Internet server is vulnerable.

Identifying and Counteracting Suspicious Activity

An Internet server is vulnerable to a variety of attacks and other suspicious activity. Tools and technology are available to counteract suspicious activity.

Suspicious activity

The table below lists some of the main indicators of suspicious activity and their possible causes.
In the next lesson, you will learn how to protect your system against attacks.

Look for suspicious activity by monitoring file accesses.

Suppose you are looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you have not seen before. Well, what do you do now?
If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open.
But Windows does not provide a tool to do this. Fortunately, a third-party solution exists.
Sysinternals makes an excellent tool called Handle, which is available for free at 

Handle can list many other types of operating resources, including threads, events, and semaphores.
It can also display open Registry keys and IOCompletion structures. Running handle without any command-line arguments lists all open file handles on the system. You can also specify a filename, which lists the processes that are currently accessing it, by typing this:

C:\> handle filename

Suspicious Activity Possible Cause
Multiple login failures An unauthorized user may be trying to gain access, using various User ID/Password combinations
Denail of service 1. Server or router may be down.
2. Email bombing, in which s user's email address is flooded with so much that the mail server is overloaded
3.Worms, programs, or viruses that use network connections to infect other systems
4. A Trojan horse, which is a seemingly harmless software that conceals its true purpose, which is to evade access control of authentication
Mail flooding and spam Multiple user mailboxes are flooded with mail including spam, unsolicited junk e-mail, posting, new articles, and advertising
PING flood PING is used to test the integrity and responsiveness of a network. The "Ping of Death" occurs when a large packet of data ( for example 1MB) is sent, causing the TCP/IP stack to cease functioning correctly
SYN flood Occcurs when TCP sends a connection request (SYN) and the source IP address is replaced with an address not in use on the internet or an address belonging to another client.