Diagram Source: https://flylib.com/books/en/188.8.131.52/1/
The state transition and time sequence of the TCP 3-Way Handshake Process.
- SYC_RCVD: When the server receives SYN from the client and sends SYN, ACK to the client
- ESTABLISHED: When the server receives ACK from the client and sends nothing back.
TCP SYN Flooding Attacks
TCP SYN flooding attacks deplete memory resources to stop new connections from being established by exploiting the protocol of TCP three-way handshake.
The SYN flooding attack is a denial-of-service method affecting hosts that run TCP server processes. The attack takes advantage of the state retention TCP performs for some time after receiving a SYN segment to a port that has been put into the LISTEN state.
The basic idea is to exploit this behavior by causing a host to retain enough state for bogus half-connections that there are no resources left to establish new legitimate connections. (RFC 4987)
- Flooding and Amplification
- TCP/IP Illustrated, Vol. 1: The Protocols (Addison-Wesley Professional Computing Series)
- SYN Flood
- TCP SYN Flood
- TCP SYN Flooding Attacks and Common Mitigations (RFC 4987)
- REVIEW OF SYN-FLOODING ATTACK DETECTION MECHANISM
- Detecting SYN Flooding Attacks
- Detecting SYN Flooding Attacks (Slides)
- Detecting SYN flooding attacks based on traffic prediction
- An Accurate Sampling Scheme for Detecting SYN Flooding Attacks and Portscans
- DoS attacks targeting SIP server and improvements of robustness
- HOW TO PERFORM TCP SYN FLOOD DOS ATTACK & DETECT IT WITH WIRESHARK – KALI LINUX HPING3