An ACK-SYN flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.
By continuously sending ACK-SYN packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.
Technical Analysis
Below an analysis of an ACK-SYN flood is shown. The following images depict a high rate of ACK-SYN packets being sent from a single source IP towards a single destination IP.
In Image 1 below, you can see the flood of ACK-SYN packets coming from a single source. Notice the rate at which the packets are sent.
“Image 1 – example of single ACK-SYN packet being sent to port 80”
In Image 2 you can see the victim responding with an RST packet. The reason this RST packet is received in response to the original ACK-SYN packet is because the TCP stack receiving the ACK-SYN packet never had a corresponding sequence of SYN – SYN+ACK +ACK (Otherwise known as the TCP handshake). Some environments may opt not to send a RST packet back to the source of the offending ACK-SYN packet. The ACK-SYN packet is known as an out of state packet.
“Image 2 – RST packet received because of “out of state”ACK-SYN packet sent”
As seen in Image 3. The capture analyzed is 9 seconds long and the average number of packets per second are at 116, with a rate of around 50Kbps. Attack rates could be much higher.
“Image 3 – ACK-SYN Flood stats”
A typical ACK-SYN flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of ACK-SYN packets (not preceded by a TCP handshake) and a slightly lesser rate of RST packets coming from the targeted server.
Analysis of an ACK-SYN flood in Wireshark – Filters
Filter ACK-SYN packets – “(tcp.flags.ack == 1) && (tcp.flags.syn == 1)”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.
Download Example PCAP of ACK-SYN Flood
*Note: IP’s have been randomized to ensure privacy.