top of page
Search

Investigating Network Stress in a Virtual Lab: A Blue Team Analysis

  • fabztechtips
  • 4 days ago
  • 3 min read

Introduction

Understanding how systems behave under increased network activity is an important skill for IT professionals and cybersecurity analysts. While large-scale Denial-of-Service (DoS) attacks require significant resources and infrastructure, even small-scale network stress can provide valuable insights into how operating systems process traffic and how analysts investigate unusual behaviour.

In this lab, I built a controlled Windows-based virtual environment using VirtualBox to observe how a system responds to sustained network traffic. The goal was not to disrupt services, but to investigate how increased traffic appears within monitoring tools and to develop a structured approach to network analysis.

Lab Objectives

The objectives of this investigation were:

  • Build an isolated virtual network

  • Establish a baseline of normal system behaviour

  • Generate controlled network traffic

  • Monitor system performance during activity

  • Investigate changes in resource utilisation

  • Identify the root cause of observed behaviour

  • Document findings using a blue-team methodology

Lab Environment

The environment consisted of two Windows virtual machines running inside VirtualBox.

Client System

Purpose: Generate network traffic

IP Address: 192.168.10.11

Target System

Purpose: System under investigation

IP Address: 192.168.10.10

Both virtual machines were connected to an isolated internal network named "labnet" to ensure testing remained completely contained.





Configuring Network Connectivity

Static IP addresses were assigned to both systems to simplify communication and troubleshooting.

The client system was configured with the address 192.168.10.11 while the target system was configured with 192.168.10.10.

Connectivity was verified using standard ICMP ping requests.




Establishing a Baseline

Before generating any traffic, I recorded the normal operating state of the target machine.

Task Manager and Resource Monitor were used to establish baseline measurements including:

  • CPU utilisation

  • Memory usage

  • Network activity

  • Active network connections

At this stage, resource utilisation remained low and there were no signs of abnormal activity.



Simulating Network Stress

To generate a sustained stream of traffic, the client system was configured to continuously send ICMP echo requests to the target system.

This created a predictable flow of network traffic that could be analysed without introducing risk to production systems.

The traffic was allowed to run for approximately ten minutes while monitoring tools remained active on the target machine.



Investigation and Analysis

With traffic generation underway, monitoring tools immediately showed an increase in network activity.

Task Manager Observations

Task Manager displayed increased network utilisation compared to the baseline state. CPU utilisation also showed minor fluctuations as the operating system processed incoming requests.



Resource Monitor Observations

Resource Monitor provided a clearer view of network behaviour.

The increase in traffic corresponded directly with the incoming ICMP requests generated from the client machine. Network throughput increased and activity became visible within the monitoring interface.



Network Statistics

Using the netstat command, I reviewed protocol statistics before and during testing.

The results showed increased ICMP packet counts, confirming that the observed network activity was directly linked to the traffic generated during the simulation.



Root Cause Analysis

What Changed?

Compared to the baseline:

  • Network utilisation increased

  • ICMP packet counters increased

  • Resource Monitor showed sustained network activity

  • CPU usage rose slightly as requests were processed

What Caused the Activity?

The root cause was continuous ICMP traffic originating from the client machine.

Each incoming request required processing by the Windows networking stack before a response could be generated.

Why Was There No Service Disruption?

Although traffic levels increased, modern operating systems are designed to handle significant volumes of routine network traffic.

Several factors contributed to system stability:

  • The traffic originated from a single source

  • Available bandwidth was not exhausted

  • System resources remained within normal operating limits

  • Windows efficiently processed and responded to requests

Recovery and Validation

After stopping the traffic generation process, network utilisation returned to normal levels.

Monitoring tools confirmed that the system returned to its baseline operating state without requiring any intervention.

This demonstrated that the observed activity was directly linked to the generated traffic rather than an underlying system issue.


Lessons Learned

This investigation demonstrated the importance of establishing a baseline before analysing suspicious activity.

Key takeaways included:

  • Network monitoring tools can quickly identify unusual traffic patterns.

  • Resource Monitor provides valuable visibility into active network activity.

  • Baseline measurements are critical for effective troubleshooting.

  • Root cause analysis should focus on evidence gathered throughout the investigation.

  • Controlled lab environments provide a safe way to develop investigative skills.

Conclusion

This lab provided a practical introduction to network investigation techniques within a controlled environment. By generating and analysing sustained ICMP traffic, I was able to observe how Windows handles increased network activity, collect evidence using built-in monitoring tools, and perform a structured root cause analysis.

While the simulation did not generate enough traffic to impact system availability, it successfully demonstrated how analysts can investigate unusual network behaviour and correlate observations with system metrics. The skills developed during this exercise directly relate to real-world troubleshooting, monitoring, and security analysis scenarios.

 
 
 

Comments


©2023 by FabzTechTips

bottom of page