An ACK-PSH flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.

By continuously sending ACK-PSH packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.

Technical Analysis

Below an analysis of an ACK-PSH flood is shown. The following images depict a high rate of ACK-PSH packets being sent from a single source IP towards a single destination IP.
In Image 1 below, you can see the flood of ACK-PSH packets coming from a single source. Notice the rate at which the packets are sent.

“Image 1 – example of single ACK-PSH packet being sent to port 80”

In Image 2 you can see the victim responding with an RST packet. The reason this RST packet is received in response to the original ACK-PSH packet is because the TCP stack receiving the ACK-PSH packet never had a corresponding sequence of SYN – SYN+ACK +ACK (Otherwise known as the TCP handshake). Some environments may opt not to send a RST packet back to the source of the offending ACK-PSH packet. The ACK-PSH packet is known as an out of state packet.

“Image 2 – RST packet received because of “out of state” ACK-PSH packet sent”

As seen in Image 3 the capture analyzed is 29 seconds long and the average number of packets per second are at 236, with a rate of around 102Kbps. Attack rates could be much higher.

“Image 3 – ACK-PSH Flood stats”

A typical ACK-PSH flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of ACK-PSH packets (not preceded by a TCP handshake) and a slightly lesser rate of RST packets coming from the targeted server.

Analysis of an ACK-PSH flood in Wireshark – Filters

Filter ACK-PSH packets – “tcp.flags.ack && tcp.flags.push”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of ACK-PSH Flood

*Note: IP’s have been randomized to ensure privacy.Download ACK-PSH Flood PCAP