An URG-SYN flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path.
By continuously sending URG-SYN packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. This is true for other out of state floods too.
URG-SYN Packets are considered an illegal packet by the Original TCP RFC. While it left room for customized behavior it is virtually unused today. Thus different systems can react differently to these packets and may cause unexpected issues and behavior.
Below an analysis of an URG-SYN flood is shown. The following images depict a high rate of URG-SYN packets being sent from a single source IP towards a single destination IP.
In Image 1 below, you can see the flood of URG-SYN packets coming from a single source. Notice the rate at which the packets are sent.
“Image 1 – example of single URG-SYN packet being sent to port 80”
Unexpectedly, the victim returns a SYN-ACK packet, as can be seen in Image 2.
“Image 2 – ACK-SYN Packet Returned by the Victim”
As seen in Image 3 the capture analyzed is 14 seconds long and the average number of packets per second are at 355, with a rate of around 161Kbps. The actual attack rate is around a half of this, because the returning SYN-ACKs are also counted. Attack rates could be much higher.
“Image 3 – URG-SYN Flood stats”
A typical URG-SYN flood running against an unsuspecting host will look similar to the above analysis. Generally what is seen is a high rate of URG-SYN packets (not preceded by a TCP handshake).
Analysis of an URG-SYN flood in Wireshark – Filters
Filter URG-SYN packets – “tcp.flags.urg && tcp.flags.syn”.
Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.
Download Example PCAP of URG-SYN Flood
*Note: IP’s have been randomized to ensure privacy.
Download URG-SYN Flood PCAP