Figure 7-2. Unfinished Half-Open TCP Connection (Also Called Embryonic Connection)
[View full size image]
SYN flood attacks are sometimes easy to identify because the target host (such as the HTTP or SMTP server)
becomes extremely slow, crashes, or hangs. SYN floods are not the only vector; several other vectors exist that
are aimed in a similar flooding attack. Most people focus on SYN floods as a critical security attack vector. In
reality, some SYN flood mitigation paths open the door for other TCP-based attack vectors.
TCP attack vectors are varied and include the following:
SYN Flood
ACK Flood
SYN+ACK Flood
SYN+RST Flood
RST Flood
Established Flood
FIN Flood
TCP Options Flood
X-Tree Flood
There are two major types of SYN-flood attacks:
Nonspoofed source addresses: Easy to trace, usually launched from compromised hosts (user
workstations, servers, and the like)
Spoofed source addresses: Difficult to trace, when spoofing invalid addresses from Bogon space
(unallocated address range) or valid addresses from someone else's address blocks
SYN Round Trip Time (RTT) is the interval between the sending of SYN+ACK and reception of the corresponding
ACK from the other host (receiver).
Pages:
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362