An ACK flood is DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.
By continuously sending ACK packets towards a target, state full defenses can go down (In some cases into a fail open mode) and this flood could be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.
Below an analysis of an ACK flood is shown. The following images depict a high rate of ACK packets being sent from a single source IP towards a single destination IP.
“Image 1” – example of single ACK packet begin sent to port 80
“Image 2” – RST packet received because of “out of state” ACK packet sent
The reason this RST packet is received in response to the original ACK packet is because the TCP stack receiving the ACK packet never had a corresponding sequence of SYN – SYN+ACK +ACK (Otherwise known as the TCP handshake). Some environments may opt not to send a RST packet back to the source of the offending ACK packet. The ACK packet is known as an out of state packet.
“Image 3” – See only ACK packets for SRC IP in Wireshark
The above shows all ACK packets ONLY for src IP 172.28.98.129 ONLY. Notice the times between the packets.
“Image 4” – ACK Flood stats
As seen in the image above. The capture analyzed is 2 seconds and the average number of packets per second are at 7133 PPS, with a rate of around 385Kbps. Look at the “Displayed” column only.
A typical ACK flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of ACK packets (not preceded by a TCP handshake) and a slightly lesser rate of RST packets coming from the targeted server.
Analysis of an ACK flood in Wireshark – Filters
Filter out ACK packets – tcp.flags.ack == 1
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.
Download Example PCAP of ACK Flood
*Note IP’s have been randomized to ensure privacy.