SYN Flood Attack

Attacker 172.26.26.45

Target 10.0.0.2

Spoofed

Host 10.0.0.20

Attacker 172.26.26.45

Target 10.0.0.2

Spoofed

Host 10.0.0.20

The attacker spoofs a nonexistent source IP address and floods the target with SYN packets.

The target responds to SYN packets by sending SYN-ACK packets to the spoofed hosts.

The target overflows its port buffer with embryonic connections and stops responding to legitimate requests.

Port 2876

Port 2876

SYN, SRC

10.0.0.20, DST: 10.0.0.2

SYN, SRC:

10.0.0.20, DST: 10.0.0.2

SYN, SRC:

10.0.0.20, DST: 10.0.0.2

10.0.0.20, DST: 10.0.0.2

SYN, SRC: 10.0.0.20, DST: 10.0.0.2

Port 2876

©2000, Cisco Systems,

SYN flood attacks, also known as TCP flood or half-open connections attacks, are common DoS attacks perpetrated against IP servers. The attacker spoofs a nonexistent source IP address or IP addresses on the network of the target host, and floods the target with SYN packets pretending to come from the spoofed host. SYN packets to a host are the first step in the three-way handshake of a TCP-type connection; therefore, the target responds as expected with SYN-ACK packets destined to the spoofed host or hosts. Because these SYN-ACK packets are sent to hosts that do not exist, the target sits and waits for the corresponding ACK packets that never show up. This causes the target to overflow its port buffer with embryonic or half-open connections and stop responding to legitimate requests.

0 0

Post a comment