DDoS Attack : TCP SYN Flood
SYN Flood Attack
DDoS attack have so many type of attacking approach or method. But DDoS attack can be divided by three major type, such as Volume Based Attacks, Protocol Attacks, and Application Layer Attacks. TCP SYN Flood is one of the common attack method of DDoS attacks and it’s a Protocol Attacks type.
Here the detail explaination of TCP SYN Flood
What Is A SYN Flood Attack
TCP SYN flood or usually called SYN flood is one of the Distributed Denial of Service (DDoS) attack’s type in purpose to waste resource on victim server and make it unresponsive by exploits part of the normal TCP three-way handsake.
Fundamentally, the attacker sends TCP connection request faster than the victim machine can process them, make congestion on the network.
Description Of The Attack
This the example of a normal TCP “three-way handshake” establishment of a client and server:
- Client requests connection to server by sending synchronize or SYN message.
- Server acknowledges the SYN message of client by sending back the synchronize-acknowledge or SYN-ACK message.
- The connection is established when client respods with an acknowledge or ACK message
In a SYN flood attack, the attacker usually using a fake IP address and sends frequentative SYN packets to every port on the victim’s server. The server receive multiple request that seemingly are real to establish communication, but the server is not aware of the attack. The server responds to each attempt with a SYN-ACK packet from every open port.
The malicious client does not send the expected ACK, or even maybe since the beginning never receives the SYN-ACK and thats if the IP address of the malicious client is spoofed. In this case, the server that under attack will still wait for the acknowledgement of its SYN-ACK packet for a few time.
By sending an RST packet, the server can’t close down the connection and the connection stays open during this time. TCP SYN flood attacks also called half-open attacks, because before the connection could time out, another SYN Packet will appear and make the connection is half-open with a large quantities . And in the end, service to real client’s request will be denied, the server’s connection overflow tables fill and most likely the server will crash or malfunction.
SYN packets also can be used to seal the pipes with false packets to obtain network congestion in the DDoS attack. The SYN packet type is not important but by default usually used to be rejected.