The Structure of a TCP SYN Flood
Results 1 to 3 of 3

Thread: The Structure of a TCP SYN Flood

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    21

    The Structure of a TCP SYN Flood

    After reading prodikal's post on DoS attacks, I got the Idea to post a tutorial on what goes on in the background during a TCP SYN flood, since prodikal didn't mention this type of DoS attack.

    I decided to write this in scenario format (if I had to give it a name) so it would be a little easier to understand.

    First of all, Bad Dude Boss 1 from Anonymous Company A decides he wants to tick off Good Dude Boss 1 from Anonymous Company B. He reads all kinds of tutorials in script kiddie web sites and becomes fond of DoS attacks. He becomes interested in a specific one called, you guessed it, a TCP SYN flood. He heads on over to Anonymous Script Kiddie Tool Download Site 1
    and decides to get a TCP SYN Flood tool.

    A week later, he has "mastered" the art of "point-and-click attacking." He enters Good Dude Boss 1's personal workstation IP address into the Flood tool and spoofs his IP to be his victim's. He launches the attack, and, a minute later, the computer is offline and Good Dude Boss 1 is pulling his hair out, wondering how his FreeBSD box could possibly have frozen.

    Now, let's rewind time and take a look at what happened "Behind the Scenes."

    Bad Dude Boss 1 entered the IP's and clicked the "attack button." After that, his computer send what is called a TCP SYN packet to his victim's personal workstation. His victim's computer responded with a TCP SYN/ACK packet, opening the connection between the computers half way. Instead of Bad Dude Boss 1's computer responding with a TCP ACK packet to complete the connection, it sends another TCP SYN packet. His victim's computer responds with another TCP SYN/ACK packet, opening yet another half connection. Bad Dude Boss 1's computer keeps doing this over and over again, eventually filling up Good Dude Boss 1's personal workstation memory and crashing it. Below is an ASCII diagram explaining it somewhat.

    Bad Dude >>>>>TCP SYN>>>>>>Good Dude
    Bad Dude <<<<TCP SYN/ACK<<<<Good Dude
    Bad Dude >>>>>TCP SYN>>>>>>Good Dude
    Bad Dude >>>>>*infinitum>>>>>Good Dude
    Good Dude = Offline, Crashed

    I hope this explains what goes on behind the scenes well enough.
    ___
    Ben

  2. #2
    Member
    Join Date
    May 2002
    Posts
    40
    As far as i know, You got 1 thing wrong.
    The "Bad Dude <<<<TCP SYN/ACK<<<<Good Dude" part is supposed to be :
    "Spoofed IP <<<<TCP SYN/ACK<<<<Good Dude "
    but dont kill me if im wrong

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    21
    Woops, thanks for catching that. I just removed the part about the spoofed IP.

    In case the person who gave me negatives doesn't understand (I read the comments), this tutorial is aimed at newbies, not the seasoned security expert.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •