While reviewing NetFlow logs during a routine audit, a security analyst observes that two employee workstations are alternately opening TCP and UDP sessions on random high-numbered ports. The traffic uses an unfamiliar, proprietary protocol and neither host acts solely as client or server. Which indicator of potentially malicious activity BEST describes this pattern?
Peer-to-peer applications do not rely on a strict client-server model; participating hosts both initiate and accept connections, often on unpredictable high-numbered ports. Because corporate environments typically permit only approved P2P services, seeing a proprietary protocol that hops across random ports strongly suggests unsanctioned or malicious peer-to-peer software-such as a botnet agent or unauthorized file-sharing client. The other options reflect different network behaviors and do not match the bidirectional workstation-to-workstation pattern observed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a peer-to-peer (P2P) protocol?
Open an interactive chat with Bash
Why are non-standard application-specific protocols considered irregular?
Open an interactive chat with Bash
How can security teams detect irregular traffic patterns?