SYN flood is a DDoS attack aimed at consuming connection resources on the backend servers themselves and on stateful elements, like FW and Load balancers.
This is done by sending numerous TCP-SYN requests toward targeted services while spoofing the attack packets source IP. This leaves the TCP backlog saturated and the server and/or daemon attacked will not be able to receive any new connections.
Technical Analysis
Below an analysis of an SYN flood is shown. The following images depict a high rate of SYN packets being sent from a single source IP towards a single destination IP.
In Image 1 below, you can see the flood of SYN packets coming from a single source. Notice the rate at which the packets are sent.
“Image 1 – example of single SYN packet being sent to port 80”
In Image 2 you can see the victim responding with an SYN-ACK packet. The reason this SYN-ACK packet is received in response to the original SYN packet is because the victim considers this packet to be a legitimate connection request, and thus responds with a SYN-ACK in accordance with the TCP Handshake.
“Image 2 – SYN-ACK packet received”
As seen in Image 3. The capture analyzed is 14 seconds long and the average number of packets per second are at 355, with a rate of around 161Kbps. It includes the returning SYN-ACK packets as well. Attack rates could be much higher.
“Image 3 – SYN Flood stats”
A typical SYN flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of SYN packets and a slightly lesser rate of SYN-ACK packets coming from the targeted server.
Analysis of an ACK flood in Wireshark – Filters
Filter SYN packets – “tcp.flags.syn”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.
Download Example PCAP of SYN Flood
*Note: IP’s have been randomized to ensure privacy.
