URG-ACK Flood

An URG-ACK flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.
By continuously sending URG-ACK packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.

URG-ACK Packets are considered an illegal packet by the Original TCP RFC. While it left room for customized behavior it is virtually unused today. Thus different systems can react differently to these packets and may cause unexpected issues and behavior.

Technical Analysis

Below an analysis of an URG-ACK flood is shown. The following images depict a high rate of URG-ACK packets being sent from a single source IP towards a single destination IP.
In Image 1 below, you can see the flood of URG-ACK packets coming from a single source. Notice the rate at which the packets are sent.

“Image 1 – example of single URG-ACK packet being sent to port 80”

In Image 2 you can see the victim responding with an RST packet. The reason this RST packet is received in response to the original URG-ACK packet is because the TCP stack receiving the URG-ACK packet never had a corresponding sequence of SYN – SYN+ACK +ACK (Otherwise known as the TCP handshake). Some environments may opt not to send a RST packet back to the source of the offending URG-ACK packet. The URG-ACK packet is known as an out of state packet.

“Image 2 – RST packet received because of “out of state” URG-ACK packet sent”

As seen in Image 3. The capture analyzed is 14 seconds long and the average number of packets per second are at 237, with a rate of around 102Kbps. Attack rates could be much higher.

“Image 3 – URG-ACK Flood stats”

A typical URG-ACK flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of URG-ACK packets (not preceded by a TCP handshake) and a slightly lesser rate of RST packets coming from the targeted server.

Analysis of an URG-ACK flood in Wireshark – Filters

Filter URG-ACK packets – “tcp.flags.urg && tcp.flags.ack”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of URG-ACK Flood

*Note: IP’s have been randomized to ensure privacy.
Download URG-ACK Flood PCAP

Leave a Reply

Your email address will not be published. Required fields are marked *

Leaders in Cyber Threat Assessment

Strengthen your resistance to cyber attacks!