nerdexam
EC-Council

312-50V13 · Question #156

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then

The correct answer is B. Attacker floods TCP SYN packets with random source addresses towards a victim host. A TCP SYN attack exploits the three-way handshake by flooding a target with SYN packets from spoofed source IP addresses, causing the target's connection queue to fill up while waiting for non-existent ACKs.

Submitted by ngozi_ng· Mar 6, 2026Denial-of-Service

Question

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Options

  • AAttacker generates TCP SYN packets with random destination addresses towards a victim host
  • BAttacker floods TCP SYN packets with random source addresses towards a victim host
  • CAttacker generates TCP ACK packets with random source addresses towards a victim host
  • DAttacker generates TCP RST packets with random source addresses towards a victim host

How the community answered

(32 responses)
  • A
    16% (5)
  • B
    72% (23)
  • C
    3% (1)
  • D
    9% (3)

Why each option

A TCP SYN attack exploits the three-way handshake by flooding a target with SYN packets from spoofed source IP addresses, causing the target's connection queue to fill up while waiting for non-existent ACKs.

AAttacker generates TCP SYN packets with random destination addresses towards a victim host

Generating TCP SYN packets with random *destination* addresses would spread the attack across many potential targets, rather than focusing on overwhelming a single victim's connection queue effectively.

BAttacker floods TCP SYN packets with random source addresses towards a victim hostCorrect

An attacker launches a TCP SYN flood by sending numerous SYN packets to the victim server, each with a spoofed or random source IP address. This causes the victim to respond with a SYN-ACK to a non-existent host and allocate resources in its connection queue while waiting for a final ACK that will never arrive, eventually exhausting the queue and denying legitimate connections.

CAttacker generates TCP ACK packets with random source addresses towards a victim host

Generating TCP ACK packets from random source addresses would not initiate connections or fill the SYN queue, as ACK packets are part of an already established or expected connection, and systems typically drop ACKs without a prior SYN.

DAttacker generates TCP RST packets with random source addresses towards a victim host

Generating TCP RST packets would terminate existing connections, not exploit the SYN queue or initiate a denial-of-service attack based on the three-way handshake.

Concept tested: TCP SYN Flood attack

Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/ddos-protection-overview

Topics

#TCP handshake#SYN flood#Denial-of-Service#packet spoofing

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice