Continuing on with explanations of attack vectors, we will be discussing a TCP SYN ACK flood. A TCP packet with the SYN ACK flag enabled is used as part of the three step process involved with establishing a TCP connection.
1. SYN packet. During this stage, a client (such as a desktop computer, laptop, or smartphone) initiates an outgoing connection to a server (such as a web or gaming server).
2. SYN-ACK packet. The server responds with an acknowledgement of the initial request, signaling it is ready to finish initiating the connection.
3. ACK packet. The client sends a final acknowledgment, signifying that both the client and server are ready to send and receive data.
This process is known as a “three-way handshake”.
A TCP SYN ACK flood involves sending a large amount of TCP packets with both the SYN and the ACK bit enabled on it. This kind of flood is very similar to the more common SYN flood.
First, let’s take a look at what an SYN ACK flood looks like. This is a spoofed SYN ACK flood against server IP address 10.100.101.102 on port 80.
0x0000: 4500 0028 31ac 0000 3f06 466e f01a b578 E..(1…?.Fn…x
0x0010: 4814 160f 06a0 0050 7f00 8cb9 752d 8ff5 H……P….u-..
0x0020: 5012 0200 924f 0000 0000 0000 0000 P….O……..
12:43:53.835899 IP 250.226.228.185.1697 > 10.100.101.102.80: Flags [S.], seq 1590728177, ack 1831211018, win 512, length 0
0x0000: 4500 0028 d4d7 0000 3f06 6939 fae2 e4b9 E..(….?.i9….
0x0010: 4814 160f 06a1 0050 5ed0 95f1 6d26 100a H……P^…m&..
0x0020: 5012 0200 f72f 0000 0000 0000 0000 P…./……..
12:43:54.835938 IP 188.8.131.52.1698 > 10.100.101.102.80: Flags [S.], seq 1450754368, ack 932352526, win 512, length 0
0x0000: 4500 0028 ba9b 0000 3f06 c2df 5398 4c9a E..(….?…S.L.
0x0010: 4814 160f 06a2 0050 5678 c140 3792 920e H……[email protected]…
0x0020: 5012 0200 c731 0000 0000 0000 0000 P….1……..
12:43:55.835978 IP 243.6.15.240.1699 > 10.100.101.102.80: Flags [S.], seq 1615424763, ack 1978575496, win 512, length 0
0x0000: 4500 0028 e6ba 0000 3f06 33fc f306 0ff0 E..(….?.3…..
0x0010: 4814 160f 06a3 0050 6049 6cfb 75ee aa88 H……P`Il.u…
0x0020: 5012 0200 580a 0000 0000 0000 0000 P…X………
The [S.] flag indicates that it is a SYN ACK packet.
A TCP session is required for a server to accept any TCP packet (other than a SYN packet which is meant to initiate the connection). If a session does not exist for the source/destination pair, the packet will not be accept by the server. In the case of a SYN ACK packet, the server will reply with a RST (reset) packet, telling the client that there is no established connection.
A SYN ACK flood consists of sending a lot of spoofed IP to a destination server. If the packets are allowed to get to the destination, the server has to send a RST packet back out for each packet that it sees does not have a valid TCP connection. Every packet that a server processes costs resources, even if it’s just to deny the connection. For this reason, a SYN ACK flood can be very effective. A SYN ACK packet is an allowed “initial” receive packet if the server sent out a SYN request first.
This type of flood, as with any other TCP flood, is effective because it forces the server to drop the packets. This causes resource exhaustion as it has to process each packet. A SYN ACK flood can potentially be more effective than a SYN flood in the case where the DDoS mitigation provider handles SYN floods better than SYN ACK floods, which is often the case. A SYN flood is a more effective solution to taking down a server though in the sense that once the packets hit the server, a SYN packet half-opens a TCP connection. Even with DDoS mitigation, there is a potential for some packets to get through to the server. It takes a smaller amount of SYN packets to impact a server and as such is the more effective choice.