Solution - Packet Capture Challenge 6

December 13, 2012 • 3 min read

This capture challenge has concluded!

Thank you for all of your answers! You can find the solution below, or try the challenge for yourself.

The Challenge

Happy Holidays from CloudShark!

We’ve had a lot of new followers and users of in the network security field, so we have a special intrusion capture challenge for you this month. It requires very little description, but you can use CloudShark’s web-based analysis tools and packet view to figure it out.

Here we go. What sort of attack is seen in this capture?:

Email your answers to As last time, the first 5 correct answers will receive a CloudShark “P-Cap” (get it?):


Everyone else will get a free CloudShark t-shirt! Enjoy, and happy Packet Surfing!

The Solution

The answer is, of course, a Christmas Tree scan or Xmas scan, because it’s the holidays and we are so very clever here at CloudShark.

From Wikipedia:

_In information technology, a Christmas tree packet is a packet with every single option set for whatever protocol is in use. The term derives from a fanciful image of each little option bit in a header being represented by a different-colored light bulb, all turned on, as in, “the packet was lit up like a Christmas tree.” It can also be known as a kamikaze packet, nastygram or a lamp test segment.

Christmas tree packets can be used as a method of divining the underlying nature of a TCP/IP stack by sending the packets and awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a Christmas tree packets has the flags FIN, URG and PSH set. Many operating systems implement their compliance with the Internet Protocol standard (RFC 791) in varying or incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host’s operating system. Versions of Microsoft Windows, BSD/OS, HP-UX, Cisco IOS, MVS, and IRIX display behaviors that differ from the RFC standard when queried with said packets.

Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Christmas tree scan packets do not have the SYN flag turned on, they can pass through these simple systems and reach the target host. A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the ‘usual’ packets do.

Christmas tree packets can be easily detected by intrusion-detection systems or more advanced firewalls. From a network security point of view, Christmas tree packets are always suspicious and indicate a high probability of network reconnaissance activities. _

Happy Holidays from CloudShark!