312-50V10 · Question #687
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then
The correct answer is B. Attacker floods TCP SYN packets with random source addresses towards a victim host. A TCP SYN flood attack exploits the three-way handshake by sending SYN packets with spoofed source addresses, exhausting the victim's connection queue and denying service to legitimate users.
Question
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?
Options
- AAttacker generates TCP SYN packets with random destination addresses towards a victim host
- BAttacker floods TCP SYN packets with random source addresses towards a victim host
- CAttacker generates TCP ACK packets with random source addresses towards a victim host
- DAttacker generates TCP RST packets with random source addresses towards a victim host
How the community answered
(25 responses)- A16% (4)
- B72% (18)
- C4% (1)
- D8% (2)
Why each option
A TCP SYN flood attack exploits the three-way handshake by sending SYN packets with spoofed source addresses, exhausting the victim's connection queue and denying service to legitimate users.
Sending SYN packets toward random destination addresses scatters traffic across many unrelated hosts rather than concentrating it to exhaust a single victim's connection queue.
By flooding a victim with SYN packets using random spoofed source addresses, the victim sends SYN/ACK replies to non-existent hosts and never receives the final ACK, leaving connections half-open. This fills the finite connection queue until it overflows, preventing any legitimate TCP connections from being established - a classic denial-of-service condition.
Sending TCP ACK packets without a preceding SYN/ACK exchange causes the target to simply discard them, so no connection queue entries are created and no denial of service results.
TCP RST packets are used to abruptly terminate already-established connections, not to fill the half-open connection queue that the SYN flood technique targets.
Concept tested: TCP SYN flood denial-of-service attack mechanics
Source: https://www.cisa.gov/news-events/news/understanding-denial-service-attacks
Topics
Community Discussion
No community discussion yet for this question.