Newbie's Corner: Background of a TCP SYN flood
Hey everyone,
I could have sworn I had posted this tutorial here before (I had signed up a while ago then forgot my login ID after i went on a two-month summer vacation), but I did a few searches and couldn't find it, so here it is! This is aimed at the medium-newbies, so if you are a security guru then you won't learn anything from this. :)
------------------------
I decided to write this in scenario format (if I had to give it a name) so it would be a little easier to understand.
Bad Guy Boss 1 from Anonymous Company A decides he wants to tick off his rival Good Guy Boss 1 from Anonymous Company B. He reads all kinds of tutorials in script kiddie web sites and becomes fond of DoS attacks. He becomes interested in a specific one called, you guessed it, a TCP SYN flood. He heads on over to Anonymous Script Kiddie Tool Download Site 1 and decides to get a TCP SYN Flood tool.
A week later, he has "mastered" the art of "point-and-click attacking." He enters Good Guy Boss 1's personal workstation IP address into the Flood tool. He launches the attack, and, a minute later, the computer is offline and Good Guy Boss 1 is pulling his hair out, wondering how his computer could possibly have frozen.
Now, let's rewind time and take a look at what happened "Behind the Scenes."
Bad Guy Boss 1 entered the target's IP address and clicked the "attack button." After that, his computer sent what is called a TCP SYN packet to his victim's personal workstation. His victim's computer responded with a TCP SYN/ACK packet, opening the connection between the computers half way. Instead of Bad Dude Boss 1's computer responding with a TCP ACK packet to complete the connection, it sends another TCP SYN packet. His victim's computer responds with another TCP SYN/ACK packet, opening yet another half connection. Bad Dude Boss 1's computer keeps doing this over and over again, eventually filling up Good Dude Boss 1's personal workstation memory and crashing it.
If you didn't get that, below is a diagram explaining it somewhat.
Bad Guy >>>>> TCP SYN >>>>>> Good Guy
Bad Guy <<<< TCP SYN/ACK <<<< Good Guy
----------Half Open Connection-------Good Guy
Bad Guy >>>>> TCP SYN >>>>>> Good Guy
Bad Guy >>>>> *infinity >>>>>> Good Guy
Good Guy = Offline, Crashed
On a side note, I've seen other people relate the SYN-SYN/ACK-ACK packet exchange to "Hey-Hi-Hows it Goin'?" in casual conversations.
-----------------------------------------------------
I guess I could have gone into a little more detail, but what do yall think? This was my first tutorial (I have written 2 or 3 after this, put away somewhere).
