TCP Connection Flood Attack

 A TCP Connection Flood Attack is a type of Distributed Denial-of-Service (DDoS) attack that aims to overwhelm a target system by exploiting the TCP protocol’s connection-handling mechanisms. By inundating a server with a massive number of connection requests, the attacker consumes server resources, rendering the system unresponsive to legitimate traffic.

How It Works

The attack leverages the TCP three-way handshake process, which involves the following steps:

  1. SYN: The client sends a synchronization (SYN) packet to the server to initiate a connection.

  2. SYN-ACK: The server responds with a synchronization-acknowledgment (SYN-ACK) packet.

  3. ACK: The client sends an acknowledgment (ACK) packet back to the server, completing the handshake.

There are two main flavours for this attack:

  1. Half-open connection in which the attacker sends a flood of SYN packets but deliberately does not complete the handshake by sending the final ACK. This leaves the server with numerous half-open connections, consuming its resources and preventing it from accepting new, legitimate connections. 
  2. Full connection in which the attacker completes the final ACK in the three way handshake, but does not maintain the connection on the attacker side. 

Impact

  • Resource Exhaustion: The server allocates memory and processing power to manage each half-open connection, leading to resource depletion.

  • Service Disruption: Legitimate users experience delays or inability to connect to the server.

  • Infrastructure Overload: Network devices like firewalls and load balancers may also become overwhelmed, amplifying the attack’s effect. 

Mitigation Strategies

  • SYN Cookies: A technique where the server does not allocate resources until the handshake is completed, mitigating the impact of half-open connections. 

  • Rate Limiting: Restricting the number of incoming SYN requests from a single IP address to prevent flooding.

  • Load Balancers: Distributing incoming traffic across multiple servers to manage load effectively.

  • Timeout Reduction: Decreasing the time the server waits for the final ACK in the handshake, freeing up resources more quickly.


by Sergei Penchuk, CISSP

Popular posts from this blog

Startups Need to Cyber Up as Early as Pre-Seed!

Startups Need to Cyber Up as Early as Pre-Seed! 10 Cyber Takeaways for Early-Stage Startups to Win New Customers You start with a great idea, a talented team, and a sharp market fit. You decide to launch a startup venture to fulfill this passion. Fun! If you just got started—congrats! You’re in the Pre-Seed stage. As early as this stage may be, here are our top cybersecurity decisions you should be making to set yourself apart from the crowd and grow your appeal to venture capitalists and customers alike! Create a Security and Privacy Policy Creating a security and privacy policy for your company and adding it to your website will position you as a mature organization that takes security risks seriously. This shouldn’t be a pricey task—consider seeking direction from AI tools. Scan Your Code With SAST and SCA Tools It’s a small effort that allows you to spot security issues early in development. You can use a free tier from vendors like Snyk or CodeQL from GitHub. Mind Your Tech Co...
Read more

DDoS Attacks on Enterprises Surge

 Large-Scale Assaults Demand High Sophistication and Vast Botnets “The weakest point in the enemy’s position must be sought out and attacked with the greatest determination.” Carl von Clausewitz DDoS attacks exploit two main concepts: Focus – Find a vulnerability on the victim’s side and direct all of your attack power toward it. Amplification – Use resources from other hosts on the internet to boost your attack. There are mainly four types of DDoS attacks: Volume, Infrastructure (protocol), Application, and Advanced . Volume attacks are fairly simple—many machines worldwide send large amounts of data to the target, saturating its bandwidth. It’s one of the most mature and well-known attack types, and many vendors are adept at mitigating it. High traffic volume is typically achieved by amplifying requests through vulnerable servers on the internet that rely on the stateless UDP protocol. These servers accept a small request from the attacker but respond with large data packets...
Read more

Understanding SCA in Few Sentences

Understanding Software Composition Analysis (SCA) in Few Sentences Software Composition Analysis (SCA) is a security methodology aimed at managing the risks associated with the use of third-party and open-source components in a software application. These components, while useful for rapid development, can introduce vulnerabilities that may be exploited by malicious actors. SCA is crucial in identifying these weaknesses as part of an integrated DevSecOps pipeline.  How SCA is Performed 1. Inventory Creation: The first step involves generating a Bill of Materials (BoM), listing all the components, libraries, and dependencies used in the application. 2. Static Analysis: Using this BoM, SCA tools scan the components against known vulnerability databases like NVD (National Vulnerability Database) to identify potential issues. 3. License Compliance Check: SCA tools also examine each component for licensing requirements to ensure legal compliance. 4. Continuous Monitoring: Vulnerabil...
Read more