FIN Flood

FIN Flood is a DDoS attack aimed at consuming computing power and saturating bandwidth. FIN Floods are generally spoofed attacks and normally come at a very high rate.

FIN floods, if not dropped by stateful devices on the perimeter, may overwhelm the internal network architecture. Generally this flood is used as a basic but effective flood to bring down perimeter devices or saturate bandwidth.

Technical Analysis

Image 1 shows the attacker (10.0.0.2) sending FIN packets to the victim (10.128.0.2) to port 80.

“Image 1 – Example of a Single FIN packet Sent to Port 80”

As can be seen in Image 2, the Average number of packets per seconds is over 120. FIN Floods can come at a much higher rate.

“Image 2 – FIN Flood Stats”

A typical FIN flood running against a host will look similar to the above analysis. Generally what is seen, is a high rate of FIN packets (not preceded by a TCP handshake). A FIN flood is considered an out of state flood.

Analysis of an FIN+ACK flood in Wireshark – Filters

Filter out FIN packets – “tcp.flags == 0x001”

Go to Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of FIN+ACK Flood

*Note IP’s have been randomised to ensure privacy.

Download FIN Flood PCAP

Leave a Reply

Your email address will not be published. Required fields are marked *

3-layers (1)