nerdexam
EC-Council

312-50V10 · Question #687

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then

The correct answer is B. Attacker floods TCP SYN packets with random source addresses towards a victim host. A TCP SYN flood attack exploits the three-way handshake by sending SYN packets with spoofed source addresses, exhausting the victim's connection queue and denying service to legitimate users.

Denial of Service

Question

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Options

  • AAttacker generates TCP SYN packets with random destination addresses towards a victim host
  • BAttacker floods TCP SYN packets with random source addresses towards a victim host
  • CAttacker generates TCP ACK packets with random source addresses towards a victim host
  • DAttacker generates TCP RST packets with random source addresses towards a victim host

How the community answered

(25 responses)
  • A
    16% (4)
  • B
    72% (18)
  • C
    4% (1)
  • D
    8% (2)

Why each option

A TCP SYN flood attack exploits the three-way handshake by sending SYN packets with spoofed source addresses, exhausting the victim's connection queue and denying service to legitimate users.

AAttacker generates TCP SYN packets with random destination addresses towards a victim host

Sending SYN packets toward random destination addresses scatters traffic across many unrelated hosts rather than concentrating it to exhaust a single victim's connection queue.

BAttacker floods TCP SYN packets with random source addresses towards a victim hostCorrect

By flooding a victim with SYN packets using random spoofed source addresses, the victim sends SYN/ACK replies to non-existent hosts and never receives the final ACK, leaving connections half-open. This fills the finite connection queue until it overflows, preventing any legitimate TCP connections from being established - a classic denial-of-service condition.

CAttacker generates TCP ACK packets with random source addresses towards a victim host

Sending TCP ACK packets without a preceding SYN/ACK exchange causes the target to simply discard them, so no connection queue entries are created and no denial of service results.

DAttacker generates TCP RST packets with random source addresses towards a victim host

TCP RST packets are used to abruptly terminate already-established connections, not to fill the half-open connection queue that the SYN flood technique targets.

Concept tested: TCP SYN flood denial-of-service attack mechanics

Source: https://www.cisa.gov/news-events/news/understanding-denial-service-attacks

Topics

#SYN flood#TCP three-way handshake#DoS attack#connection queue exhaustion

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice