SYN floods can take various forms, most of which do not seriously affect the attacked system. However, one of the most potentially damaging types of SYN floods is the SYN-ACK flood, in which the client address refers to a system that does not actually exist. These can also be referred to as SYN-ACK-ACK flood attacks.
A SYN-ACK flood comprises of repeatedly sending a server spoofed SYN-ACK packets, which don’t belong to a current session within the server’s connection list. The server then requires greater processing power to understand why it is not receiving packets in the correct order of the TCP three-way handshake.
The SYN-ACK flood is not directed back to the malicious client or botnet, but instead, directed back to the victim’s network. This tends to exhaust the victim’s firewalls as it forces state-table lookups for every single incoming SYN-ACK packet, the server trying to match them to an existing flow.
The victim’s server thus becomes overwhelmed with handling the attack traffic, depleting its resources, along with those of the router and IPS/IDS devices, which can result in a DoS to legitimate traffic as long as the attack lasts.
Mitigation strategies are similar to those for a SYN flood: SYN cookies, controlling the size of the TCP queue, or recycling the oldest half-open TCP connection.
In the event of an attack, it becomes essential that legitimate requests remain in a queue for long enough to receive responses so they can be sent to the established connections queue. However, high-latency or low speed links increase the time that a packet must wait for a response, thus slower connections are at higher risk.
According to Juniper Networks, one mitigation strategy is to enable the SYN-ACK-ACK proxy protection screen:
“After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address. By default, the threshold is 512 connections from any single IP address. You can change this threshold (to any number between 1 and 250,000) to better suit the requirements of your network environment.”
SYN-ACK floods are often used as a smoke screen for more advanced attacks as the continuous push of ACK packets towards a target forces full defences down.
There are various other kinds of ACK Flood, including an ACK attack, an ACK-PUSH Flood and an ACK Fragmentation Flood.