A DDoS Attack Explained: TCP SYN ACK Flood

Continuing on with explanations of attack vectors, we will be discussing a TCP SYN ACK flood. A TCP packet with the SYN ACK flag enabled is used as part of the three step process involved with establishing a TCP connection.

1. SYN packet. During this stage, a client (such as a desktop computer, laptop, or smartphone) initiates an outgoing connection to a server (such as a web or gaming server).
2. SYN-ACK packet. The server responds with an acknowledgement of the initial request, signaling it is ready to finish initiating the connection.
3. ACK packet. The client sends a final acknowledgment, signifying that both the client and server are ready to send and receive data.
This process is known as a “three-way handshake”.

A TCP SYN ACK flood involves sending a large amount of TCP packets with both the SYN and the ACK bit enabled on it. This kind of flood is very similar to the more common SYN flood.

First, let’s take a look at what an SYN ACK flood looks like. This is a spoofed SYN ACK flood against server IP address on port 80.

12:43:52.835860 IP > Flags [S.], seq 2130742457, ack 1965920245, win 512, length 0
0x0000: 4500 0028 31ac 0000 3f06 466e f01a b578 E..(1…?.Fn…x
0x0010: 4814 160f 06a0 0050 7f00 8cb9 752d 8ff5 H……P….u-..
0x0020: 5012 0200 924f 0000 0000 0000 0000 P….O……..
12:43:53.835899 IP > Flags [S.], seq 1590728177, ack 1831211018, win 512, length 0
0x0000: 4500 0028 d4d7 0000 3f06 6939 fae2 e4b9 E..(….?.i9….
0x0010: 4814 160f 06a1 0050 5ed0 95f1 6d26 100a H……P^…m&..
0x0020: 5012 0200 f72f 0000 0000 0000 0000 P…./……..
12:43:54.835938 IP > Flags [S.], seq 1450754368, ack 932352526, win 512, length 0
0x0000: 4500 0028 ba9b 0000 3f06 c2df 5398 4c9a E..(….?…S.L.
0x0010: 4814 160f 06a2 0050 5678 c140 3792 920e H……PVx.@7…
0x0020: 5012 0200 c731 0000 0000 0000 0000 P….1……..
12:43:55.835978 IP > Flags [S.], seq 1615424763, ack 1978575496, win 512, length 0
0x0000: 4500 0028 e6ba 0000 3f06 33fc f306 0ff0 E..(….?.3…..
0x0010: 4814 160f 06a3 0050 6049 6cfb 75ee aa88 H……P`Il.u…
0x0020: 5012 0200 580a 0000 0000 0000 0000 P…X………

The [S.] flag indicates that it is a SYN ACK packet.

A TCP session is required for a server to accept any TCP packet (other than a SYN packet which is meant to initiate the connection). If a session does not exist for the source/destination pair, the packet will not be accept by the server. In the case of a SYN ACK packet, the server will reply with a RST (reset) packet, telling the client that there is no established connection.

A SYN ACK flood consists of sending a lot of spoofed IP to a destination server. If the packets are allowed to get to the destination, the server has to send a RST packet back out for each packet that it sees does not have a valid TCP connection. Every packet that a server processes costs resources, even if it’s just to deny the connection. For this reason, a SYN ACK flood can be very effective. A SYN ACK packet is an allowed “initial” receive packet if the server sent out a SYN request first.

This type of flood, as with any other TCP flood, is effective because it forces the server to drop the packets. This causes resource exhaustion as it has to process each packet. A SYN ACK flood can potentially be more effective than a SYN flood in the case where the DDoS mitigation provider handles SYN floods better than SYN ACK floods, which is often the case. A SYN flood is a more effective solution to taking down a server though in the sense that once the packets hit the server, a SYN packet half-opens a TCP connection. Even with DDoS mitigation, there is a potential for some packets to get through to the server. It takes a smaller amount of SYN packets to impact a server and as such is the more effective choice.

Free Cloud Services and How They Are Used for DDoS


Free cloud services have become popular in recent years. These services provide developers a platform to test software, and collaborate with others easily. While this sounds amazing, in reality these platforms can be a goldmine for attackers if not properly secured. Many of these services require only an email for verification. Setting up fake emails and automating this sign up process is all too simple for attackers.

A couple years ago at Black Hat in Las Vegas, security researchers Oscar Salazar and Rob Ragan demonstrated just how easy this process was. They managed to accumulate 1,000 free cloud accounts during one weekend. With this free botnet they performed LiteCoin mining, allowing them to average $1,750 per week in pure profit.

This was a proof of concept exercise and as such restraint was shown. A malicious user on the other hand, would feel no need to limit themselves. Imagine tens of thousands of free cloud services being utilized for DDoS attacks. Being able to bypass email authentication is simple for any skilled coder, free cloud providers need to be aware of this, and take the necessary steps to improve authentication. These types of services are ideal for attackers to perform distributed network scanning, distributed password cracking, DDoS attacks, click-fraud, crypto currency mining and data storage.

Moving forward we need to keep security in mind as we offer free services and connect more devices to the internet. The threat landscape is constantly evolving, as a community we need to evolve as well. Take any and every step possible to remain secure and up to date.