RST Flood

A RST flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.

By continuously sending RST packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.

Different systems can react differently to RST packets and may cause unexpected issues and behavior.

Technical Analysis

Below an analysis of an RST flood is shown. The following images depict a high rate of RST packets being sent from a single source IP towards a single destination IP.

In Image 1 below, you can see the flood of RST packets coming from a single source. Notice the rate at which the packets are sent.

“Image 1 – example of single RST packet being sent to port 80”

As seen in Image 2. The capture analyzed is 9 seconds long and the average number of packets per second are at 58, with a rate of around 25Kbps. Attack rates could be much higher.

“Image 2 – RST Flood stats”

A typical RST flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of RST packets (not preceded by a TCP handshake).

Analysis of an RST flood in Wireshark – Filters

Filter RST packets – “tcp.flags.reset == 1”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of RST Flood

*Note: IP’s have been randomized to ensure privacy.

Download RST Flood PCAP