AP Cybersecurity Unit 3 Case File 3: Trace the Intrusion

AP Cybersecurity • Unit 3 • Case File 03

Trace the Intrusion

You are the analyst for Lakeview district IT during state testing week. Work the traffic, then segment and defend the network.

Points: 0 / 11

Case closed.

You traced the intrusion and hardened the network. Finish the report, then take the cold case.

Case briefing

Odd traffic appeared during state testing. Identify what is happening on the wire, then contain it and defend the network.

Stage 1 • Network Attacks

Name the attack

CED 3.1.A • Lessons: Network Attacks, MAC Flooding, DNS Poisoning, DDoS

A

A switch is overwhelmed with fake addresses until it fails open and forwards every frame to every port.

B

Students typing the district portal address are silently sent to a fake site at the wrong IP.

C

The testing server is buried under traffic from thousands of sources and goes offline.

Stage 2 • Man in the Middle

Spot the interception

CED 3.1.A • Lesson: Man in the Middle (on-path)

Capture

An unknown device on the Wi-Fi convinces staff machines to route through it by claiming to be the gateway. Their traffic now flows through that device before reaching the internet.

Stage 3 • Segmentation and Wireless

Contain and harden

CED 3.3, 3.2 • Lessons: Network Segmentation, Wireless Security

Network

The grade server, staff laptops, and student devices all sit on one flat network.

Stage 4 • Firewalls

Fix the ruleset

CED 3.4.A • Lesson: Firewalls (how ACL rules work)

Firewall ACL (evaluated in order, first match wins)

Rule 1: ALLOW any -> any port 443 Rule 2: DENY student-vlan -> grade-server (grade server uses 443)

Stage 5 • Detecting Network Attacks

Triage the alerts

CED 3.5.A • Lessons: IDS/IPS, SIEM

Alert

The IDS flags the nightly backup transfer as malicious every single night.

Analyst's report

Summarize the attacks you found, then give the fix for each.

Model answer. The switch failure was MAC flooding, the redirected portal was DNS poisoning, the buried testing server was a DDoS, and the staff traffic flowing through a rogue gateway was a man-in-the-middle (on-path) attack.

Fixes: enable port security against MAC flooding; segment the network with VLANs so a student device cannot reach the grade server; use strong wireless encryption with a passphrase rather than relying on hiding the SSID; reorder the firewall so the specific deny comes before the broad allow, because ACLs use first match in rule order; and deploy an IPS to block in real time with a SIEM correlating logs across sources.

Cold case

The SIEM collects logs from many sources at once. Why does that help catch an attack that any single device would miss?

Field glossary (terms from the lessons)
MAC floodingport securityDNS poisoningDoS vs DDoSman in the middleon-path attackVLANsegmentationstrong wireless encryptioncontrolling SSID broadcastfirewallACLrule orderfirst matchIDSIPSSIEMfalse positivefalse negative
← Unit 3 HubCourse Guide

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]