Example of a Blended DDoS Attack: SYN and ACK Floods

Recently the Corero Security Operations Center (SOC) team observed a combined SYN Flood and ACK Flood attack that reached 75Gbps, targeting one of our customers that has large data centers across the globe. The chart below illustrates the volume and time duration of the attack, which was simultaneously launched on each of the customer’s data centers. Although it was relatively short-lived, the attack would have saturated the company’s network and associated server infrastructure, resulting in significant downtime, if not for the fact that it attack was automatically mitigated by the Corero SmartWall® Network Threat Defense System (TDS). This was a highly targeted, high bandwidth, but very short duration event; the attack lasted a few minutes. The only way of stopping this form of attack would be with an inline solution.

DDoS attacks come in various forms; there are at least 25 types, which are explained in the attack spectrum glossary on our website. Some attacks target traditional border infrastructure, while others target critical network services, other security technologies, or online business integrity. DDoS hackers have become more sophisticated, using a variety of techniques to pull off these attacks: Network Layer, Reflective/Amplified, Fragmented Packet, Application Layer, etc. Increasingly, hackers often launch blended attacks that combine three, four or five types of attacks at the same time. Corero SmartWall Threat Defense System (TDS) defends against all of them.

SYN floods and ACK floods are some of the most common types of attacks we see, and they target traditional border infrastructure. In a SYN Flood, a victim server, firewall or other perimeter defense receives SYN packets (often spoofed and most often from a botnet) at very high packet rates that can overwhelm the victim by consuming its resources. In most cases if a server is protected by a firewall, the firewall will become a victim of the SYN flood itself and begin to flush its state-table, knocking all good connections offline or—even worse— reboot.

To remain up and running, some firewalls will begin to indiscriminately drop all good and bad traffic to the destination server being flooded. Some firewalls perform an Early Random Drop process blocking both good and bad traffic. SYN floods are often used to consume all network bandwidth as well as negatively impact routers, firewalls, IPS/IDS, SLB, WAF and the victim servers.

In an ACK DDoS attack (or ACK-PUSH Flood), attackers send spoofed ACK (or ACK-PUSH) packets at very high packet rates that fail to belong to any current session within the firewall’s state-table and/or server’s connection list. The ACK flood exhausts a victim’s firewalls by forcing state-table lookups and depletes server resources used to match these incoming packets to an existing flow. 

Obviously, during such attacks, a firewall is easily compromised, offering no defense to servers downstream. Corero technology blocks the bad traffic and allows all normal/good traffic to pass through. For more on this topic, watch our video on blended DDoS attacks.

Leave a Reply