The new tsunami SYN floods (and how you can protect yourself)

People tend to think that there’s bad news, and there’s good news. But as the pessimists among us – or shall we call them, the realists – suggest, in this world there tends to be only bad news, and worse news.

For instance, bad news is that according to the security firm Incapsula, through 2013 and the beginning of 2014 the most common method of DDoS attack was SYN flood attacks. The worse news is that in the last two months, hackers have found a way to make SYN flood attacks even bigger and badder. Enter the tsunami SYN flood attack. Here’s what you need to know about both types of flood attacks, and what you can do to protect yourself.

Your basic SYN flood attack

SYN flood attacks have been around for about as long as DDoS attacks have. In other words, way too long. As we mentioned, a SYN flood attack – which is examined in detail in the link – is just what it sounds like: a DDoS attack that floods a targeted server, overwhelming it and rendering it unable to provide service to legitimate users. A SYN flood attack could even cause a server to malfunction or crash.

In terms of the nitty-gritty of how a SYN flood attack works, the hacker sends TCP connection requests to the targeted server more quickly than the server can process them. The hacker sends repeated SYN packets to every port on the server. Not only does this cause network saturation, but because a hacker will most likely be using a spoofed IP address to send these requests, when the server attempts to send the synchronize-acknowledgement or SYN-ACK messages back in order to establish what the server sees as legitimate connection requests, the reply messages have nowhere to go and the server will not be able to close the connection.

This eats away at network resources, causing services to be denied to legitimate users, and possibly a more severe server failing.

38 day-long SYN flood and DNS flood multi-vector DDoS attack (source)

Not your basic SYN flood attack

As you’ve probably assumed, a tsunami SYN flood attack is basically a massive SYN flood attack. It’s a high-volume type of SYN flood attack that was first detected in October of 2014 and is designed to overcome the majority of basic internet security defenses.

The tsunami SYN flood attack works like a regular SYN flood attack in that the attacker floods a targeted server with SYN packets. But while a normal SYN packet ranges from 40-60 bytes in size, for a tsunami SYN flood attack, attackers have found a way to load up to 1000 bytes into each packet. So the effectiveness a normal SYN flood attack? Multiply it by a whopping 25.

Why basic internet security cannot yet handle tsunami SYN flood attacks

Hackers may be labeled many things, but they are never stupid. They are constantly innovating and finding ways to exploit security weaknesses, and for the time being, they’ve struck gold.

Prior to the advent of the tsunami, when we saw volumetric attacks they tended to use the UDP protocol. When you know a certain type of attack is generally perpetrated in a particular way, you learn to defend against it. For instance, if mice keep getting into your chimney, you will learn to block the opening to your chimney. This could be a decent solution, until the mice find a way to burrow holes that lead to your basement. Well, basic internet security learned to block the chimney. Now it has to begin its efforts anew in the basement, and there are more mice than ever developing alternative routes into your house.

A volumetric attack over the TCP protocol is a new type of threat, and while so far it has only been tracked a few times, experts agree that it is likely to become a new trend in DDoS attacks.

What you can do to defend against tsunami SYN flood attacks

Our main suggestion for proper defense is a professional DDoS mitigation. A professional mitigation service will be able to spot the attack as soon as it starts happening and immediately re-route your traffic to a scrubbing server, allowing legitimate traffic through while doing away with attack traffic. In the case of volumetric DDoS attacks, early detection is absolutely essential.

SYN flood attacks may be one of the most common DDoS attack methods, and their ugly big brothers the tsunami SYN flood attacks may be the new trend in volumetric attacks, but unlike real floods and tsunamis, we don’t have to sit helplessly in our lifeboats as water swells around us. You can take the appropriate steps to protect your website and your investment, and stop this new DDoS trend in its tracks.


About Lee

view all posts

Travel lover. Internet guru. Friendly troublemaker. Certified pop culture buff.