The Structure of a TCP SYN Flood

[G.Ben.M]

After reading prodikal's post on DoS attacks, I got the Idea to post a tutorial on what goes on in the background during a TCP SYN flood, since prodikal didn't mention this type of DoS attack.

I decided to write this in scenario format (if I had to give it a name) so it would be a little easier to understand.

First of all, Bad Dude Boss 1 from Anonymous Company A decides he wants to tick off Good Dude Boss 1 from Anonymous Company B. He reads all kinds of tutorials in script kiddie web sites and becomes fond of DoS attacks. He becomes interested in a specific one called, you guessed it, a TCP SYN flood. He heads on over to Anonymous Script Kiddie Tool Download Site 1
and decides to get a TCP SYN Flood tool.

A week later, he has "mastered" the art of "point-and-click attacking." He enters Good Dude Boss 1's personal workstation IP address into the Flood tool and spoofs his IP to be his victim's. He launches the attack, and, a minute later, the computer is offline and Good Dude Boss 1 is pulling his hair out, wondering how his FreeBSD box could possibly have frozen.

Now, let's rewind time and take a look at what happened "Behind the Scenes."

Bad Dude Boss 1 entered the IP's and clicked the "attack button." After that, his computer send what is called a TCP SYN packet to his victim's personal workstation. His victim's computer responded with a TCP SYN/ACK packet, opening the connection between the computers half way. Instead of Bad Dude Boss 1's computer responding with a TCP ACK packet to complete the connection, it sends another TCP SYN packet. His victim's computer responds with another TCP SYN/ACK packet, opening yet another half connection. Bad Dude Boss 1's computer keeps doing this over and over again, eventually filling up Good Dude Boss 1's personal workstation memory and crashing it. Below is an ASCII diagram explaining it somewhat.

Bad Dude >>>>>TCP SYN>>>>>>Good Dude
Bad Dude <<<<TCP SYN/ACK<<<<Good Dude
Bad Dude >>>>>TCP SYN>>>>>>Good Dude
Bad Dude >>>>>*infinitum>>>>>Good Dude
Good Dude = Offline, Crashed

I hope this explains what goes on behind the scenes well enough.
___
Ben

[STeRoiD]

As far as i know, You got 1 thing wrong.
The "Bad Dude <<<<TCP SYN/ACK<<<<Good Dude" part is supposed to be :
"Spoofed IP <<<<TCP SYN/ACK<<<<Good Dude "
but dont kill me if im wrong

[G.Ben.M]

Woops, thanks for catching that. I just removed the part about the spoofed IP.

In case the person who gave me negatives doesn't understand (I read the comments), this tutorial is aimed at newbies, not the seasoned security expert.