ZyXEL Communications ZyWALL 300 User Manual
Chapter 30 ADP
ZyWALL USG 300 User’s Guide
453
30.8.2.3 TCP SYN Flood Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server. The
receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator
responds with an ACK (acknowledgment). After this handshake, a connection is established.
receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator
responds with an ACK (acknowledgment). After this handshake, a connection is established.
Figure 343 TCP Three-Way Handshake
A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the
receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows
the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are only moved off the queue when an ACK comes back or when an internal timer ends
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN
requests, making the system unavailable for other users.
receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows
the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are only moved off the queue when an ACK comes back or when an internal timer ends
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN
requests, making the system unavailable for other users.
Figure 344 SYN Flood
30.8.2.4 LAND Attack
In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address
of the network itself. This makes it appear as if the computers in the network sent the packets
to themselves, so the network is unavailable while they try to respond to themselves.
of the network itself. This makes it appear as if the computers in the network sent the packets
to themselves, so the network is unavailable while they try to respond to themselves.