SYN-ACK Flood Attack
An ACK flood attack is when a hacker tries to put extra load on a TCP server through TCP ACK packets. Like many other DDoS attacks, the objective of the ack flood is to turn down service to its users by making any system or network sluggish using junk data.
The victim server has to process each ACK packet transmitted, which utilizes so much computing power that it is unable to serve legit users. For instance, any prankster sending loads of voicemails or texts can overload the server so much that the user isn’t able to receive calls from regular users. Similar is the concept of an ack flood attack.
What is a Packet?
All data that is ever transmitted over the internet is received to the user in the form of packets. For example, long messages have a specific word limit to send a message. Still, if that message is too long, you will have to distribute the message across multiple packets for the user to receive. The transmission control protocol (TCP) is a crucial part of having communication over the internet.
Packets that are sent using the TCP protocol will have a packet header attached to them. The TCP protocol utilizers this packet header to tell the receiver of the number of packets that he will receive and also in the specified order. The header can also give some comprehensive details such as the length of the packet, what type of packet is, and others attributed as well.
This is similar to naming a file to tell people what’s inside the file. People who post long details on twitter will indicate how many tweets are there in a single message and number each treats for users to follow the specific order sequence.
What is an ACK Packet?
Ack short for “Acknowledgement” is a flag attached to the TCP header to tell the receiver the message has been delivered. These ack packets are part of the three-way handshake protocol that is responsible for starting any conversation between two people over the internet. There are three steps involved to initiate this:
- Syn
- Syn-Ack
- Ack
The device that established the connection– let’s say a user laptop- starts the three-way handshake protocol by sending s SYN (“synchronize”) packet. The device at the other end, to receive the message, will reply with a syn-ack packet. Finally, the user’s laptop transmits an ack packet and consequently, the handshake protocol is complete. This protocol ensures that both devices have an established connection and are ready to receive additional packets.
Moreover, not only are ACK packets used to send and receive messages. The TCP protocol is also responsible for sending all packets in the correct order at the receiver’s end. Suppose a user visited any random webpage that hosts an image.
The image is broken down into pieces and sent to the user’s browser. Once the entire image is received, the user’s device sends an ack message to tell that one pixel of the image is missing. Without this ack packet, the host server will have to send the image again. Since an ack packet is any TCP packet with an ack flag set in the TCP header, the ack can be part of a different message the laptop transmits to the server. If the user enters the details on a form and uploads it on the server, the laptop can make one of the packets the ack packet of the image. It doesn’t need to be a separate individual packet.
What happens during a SYN Flood Attack?
When the client and the server establish a connection using the three-way handshake protocol, the exchange follows three steps:
- Client request connection by sending SYN message to the server
- The server receives the message by sending an SYN-ACK message back to the client
- The client then transmits and Ack stating that the message has been received
How do I protect myself from a SYN Flood Attack?
Several common methods can mitigate the risk of having an SYN Flood Attack:
- Micro blocks- allocating a micro record of 16 bytes for each incoming SYN request
- Syn cookies- involve cryptographic hashing, the server responds with a syn-ack message that has a hash number integrated to the TCP header. The server identifies this hash and if legit, allocates it in memory
- RST cookies- the server at first sends a syn ack packet deliberately, leading to the server responding with an RST. If this is received, the server knows the request is genuine and embellishes a connection with the client
- Stack tweaking- admins can tweak TCP stacks to reduce the effect of SYN ACK flood
Learn more about DDoS
- What is a DDoS Attack?
- How to Prevent DDoS Attack on Xbox
- Blackhole Routing
- HTTP Flood Attack
- Cross site Forgery Attack
- Malicious Payload
- HTTP Vulnerability
- What is Password Spraying
- DNS Flood Attack
- Low and Slow Attack
- What Happens During a DDoS Attack
- SSDP DDoS Attack
- Smurf DDoS Attack
- DDoS Botnets
- UDP Flood Attack
- Slowloris Attack
- NTP Amplification Attack
- DDoS Mitigation
- Ping Flood Attack
- DDoS Booter
- DNS Amplification Attack
- Brute Force Attack
- Golden Ticket Attack
- Credential Stuffing Attack
- How to Prevent DDoS Attack on Router
- Memcached attack
- Application Layer DDoS Attack
- DDoS Attack Prevention
- BGP Hijacking
- IP Fragmentation Attack