ACK-FIN Flood

An ACK-FIN flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.

By continuously sending ACK-FIN packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.

Technical Analysis

Below an analysis of an ACK-FIN flood is shown. The following images depict a high rate of ACK-FIN packets being sent from a single source IP towards a single destination IP.

In Image 1 below, you can see the flood of ACK-FIN packets coming from a single source. Notice the rate at which the packets are sent.

“Image 1 – example of single ACK-FIN packet being sent to port 80”

In Image 2 you can see the victim responding with an RST packet. The reason this RST packet is received in response to the original ACK-FIN packet is because the TCP stack receiving the ACK-FIN packet never had a corresponding sequence of SYN – SYN+ACK +ACK (Otherwise known as the TCP handshake). Some environments may opt not to send a RST packet back to the source of the offending ACK-FIN packet. The ACK-FIN packet is known as an out of state packet.

“Image 2 – RST packet received because of “out of state”ACK-FIN packet sent”

As seen in Image 3. The capture analyzed is 9 seconds long and the average number of packets per second are at 116.6, with a rate of around 50Kbps. Attack rates could be much higher.

“Image 3 – ACK-FIN Flood stats”

A typical ACK-FIN flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of ACK-FIN packets (not preceded by a TCP handshake) and a slightly lesser rate of RST packets coming from the targeted server.

Analysis of an ACK-FIN flood in Wireshark – Filters

Filter ACK-FIN packets – “(tcp.flags.ack == 1) && (tcp.flags.fin == 1)”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of ACK-FIN Flood

*Note: IP’s have been randomized to ensure privacy.

Download