DDOS

What Are SYN Flood, SYN-ACK Flood and ACK Flood Attacks?

SYN flood, SYN-ACK flood, and ACK flood attacks are types of DDoS (Distributed Denial of Service) attacks that overload a target by flooding it with excessive TCP handshake packets, exploiting different stages of the TCP handshake process: SYN, SYN-ACK, and ACK, respectively.

SYN flood, SYN-ACK flood, and ACK flood attacks aim at stateful network equipment, such as firewalls and servers, trying to overwhelm the target's ability to handle TCP connection requests and make it unreachable to legitimate users. As these attacks focus on devices that operate on the transport layer of the OSI model, they are classified as transport layer (L4) DDoS attacks.

Some large-scale SYN flood attacks can generate enough traffic to clog the communication channel. These attacks can additionally overwhelm stateless network devices, such as routers and switches, that work on the lower layers of the OSI model. In this case, the attack is considered a combined L3/L4 DDoS attack.

How TCP Handshake Works

Transmission Control Protocol (TCP) is one of the main protocols on which the internet is built. TCP is used to transmit data between devices connected to an IP network, ensuring that the data is delivered without errors.

Unlike UDP, TCP requires establishing a connection before data is transmitted. For this reason, when a client wants to send or receive anything to or from a server using the TCP protocol, it first needs to initiate a connection using the so-called TCP handshake.

This procedure consists of three stages:

  1. SYN: When the client wants to start a connection to the server, it sends a message called a "SYN" (synchronize) to the server. Think of it as saying, "Hello, I'd like to talk."
  2. SYN-ACK: The server receives the SYN message and responds with a "SYN-ACK" (synchronize-acknowledge). This is like the server saying, "Hello, I hear you. Let's talk."
  3. ACK: The client receives the SYN-ACK message and replies with an "ACK" (acknowledge). This is like the client saying, "Great, let's start our conversation."

Once this three-step handshake is complete, the client and server can start exchanging data using the established TCP connection.

Common Types of Attack Exploiting SYN, SYN-ACK and ACK Requests

Unfortunately, every stage of the TCP three-way handshake can be abused by organizers of DDoS attacks, and not in just a single way. Let's get into some details on how it works.

How SYN Flood DDoS Attacks Work

The most basic way attackers can exploit the TCP connection handshake is by bombarding the target with a massive number of SYN requests coming from different IP addresses — for example, using a huge botnet consisting of infected devices.

The target responds to these SYN packets with a SYN-ACK (synchronize-acknowledge), waiting for a final ACK (acknowledge) from the clients to complete the handshakes. However, the attacker never sends the ACK, leaving the server with a massive number of half-open connections.

A slightly different method, often used in real attacks, is to send spoofed SYN requests with fake IP addresses in the sender's field. This way, the attacker can indefinitely cycle through random IP addresses, while the targeted server sends its SYN-ACK packets effectively to nowhere, keeping the connection half-open.

In any case, the ultimate goal of a SYN flood attack is to use up the maximum resources of the attacked server or firewall with half-open connections. Once this succeeds, the target loses the ability to establish new connections, effectively becoming unavailable to legitimate users.

How SYN-ACK Flood DDoS Attacks Work

Another way for an attacker to exploit the TCP connection handshake is to send a massive number of spoofed SYN-ACK packets with random IP addresses in the sender field. Upon receiving these SYN-ACK packets, the targeted server or firewall has to determine whether these packets are legitimate responses to ACK requests it sent earlier or if they are garbage packets.

Using this trick, a SYN-ACK flood attack consumes the resources of the targeted server or firewall. The victim device gets overwhelmed as it tries to process and validate each incoming SYN-ACK packet. As a result, the target becomes unavailable to legitimate traffic, causing a denial of service.

How ACK Flood DDoS Attacks Work

Similarly, the ACK flood attack involves sending a huge number of spoofed ACK packets. When the target receives these ACK packets, it has to determine whether they are legitimate acknowledgments of SYN-ACK requests it sent earlier or if this traffic is garbage.

The goal of an ACK flood attack is also to consume the resources of the targeted server or firewall until it eventually becomes overwhelmed as it tries to process the incoming ACK requests. As a result, the target becomes unavailable.

How SYN-ACK Amplification/Reflection DDoS Attacks Work

Amplification/reflection DDoS attacks usually exploit UDP (User Datagram Protocol), benefiting from the fact that it is a connectionless protocol. However, TCP is not immune to reflection attacks either.

Attackers slightly modify the SYN flood attack scenario. While spoofing the SYN requests, they use the victim's IP address in the sender's field. And then attackers broadcast these spoofed packets to a massive number of random legitimate servers all over the internet.

Upon receiving the SYN request, these legitimate servers duly reply with SYN-ACK packets to the victim's IP address. Attackers also benefit from the misconfiguration of the servers: most servers send the SYN-ACK packet not just once, but several times, and some servers make hundreds or even thousands of responses.

As a result of the SYN-ACK amplification attack, the victim receives a massive amount of reflected SYN-ACK requests. From this point, it works exactly like a regular SYN-ACK flood we described earlier: trying to determine what these requests are supposed to mean, the target is overwhelmed by this traffic and eventually becomes unreachable.

Impact on Business

DDoS attacks that abuse the TCP connection handshake procedure, such as SYN flood attacks, can be highly disruptive. A successful attack can cause severe downtime by overwhelming servers and network infrastructure, making online services unavailable to legitimate users.

This can result in significant financial losses, especially for organizations that rely heavily on online transactions and services, such as e-commerce businesses, financial institutions, online gaming companies, and more.

The aftermath of the attack causes a diversion of resources that could otherwise be used for business development and growth. Additionally, frequent or prolonged DDoS attacks can result in regulatory fines and legal liabilities. A successful attack also has a range of long-lasting consequences, such as reputation damage and a decrease in customer trust.

How to Protect from L3/L4 DDoS Attacks

One of the simplest ways to mitigate a DDoS attack is blackholing. It redirects traffic from certain IP ranges to a null route, effectively removing it from the targeted network. However, this technique can only be used as a last resort, as it also drops legitimate traffic from the same IP range.

SYN flood protection often involves rate limiting, which controls the amount of traffic reaching the target system, preventing overwhelming volumes of malicious traffic. However, since limits are set per IP address, this method is ineffective against attacks using a large number of different addresses and can also block legitimate traffic if the limits are set too low.

SYN flood attack prevention also includes traffic filtering, which identifies and blocks malicious traffic while allowing legitimate traffic to pass through. This task is complex, and its success depends on the scale of the DDoS attack that the filtering solution can handle.

Scrubbing centers offer a scalable solution by diverting incoming traffic to specialized facilities for analysis and filtering. Malicious traffic is removed, and clean traffic is forwarded to the target system. These centers use advanced technologies and algorithms, and they have enough redundancy to handle large-scale attacks effectively.

Qrator.AntiDDoS provides comprehensive, always-on protection against both L3/L4 and L7 DDoS attacks through its global network of 15 scrubbing centers. Connected to Tier 1 or leading regional providers, our filtering centers offer BGP Anycast routing for efficient traffic distribution, ensuring real-time monitoring and filtering. Our distributed cloud infrastructure effectively mitigates attacks of any scale, while the pay-as-you-go model minimizes costs for customers.