SANS 2016 pcap contest

SANS posted this challenge on their Boston 2016 site to download an analyze a pcap file. I took a stab. This is what I found:


After viewing the PCAP, my theory is that the PCAP represents a DNS Amplification / (or  DNS Smurf style attack ).  The host address, is the victim IP. The victim IP is spoofed.


  • The information in the capture appears to be this style of attack because I see 140 plus  DNS requests in less than .35 of a second.


  • The DNS queries seems to be scripted, using a list to query about the same hosts again and again, which is not normal behavior.


The intent of the attack is to flood host with DNS replies.

It’ll be interesting when they announce what is happening in the pcap. The way I took at it, its a winning situation either way. If I am wrong about my analysis, then I learn and learning is good. If I am right, then it is a nod to my learning efforts in the past.