454
Flood attacks
An attacker launches a flood attack by sending a large number of forged requests to the victim in a
short period of time. The victim is too busy responding to these forged requests to provide services
for legal users, and a DoS attack occurs.
The device can detect and prevent the following types of flood attacks:
•
SYN flood attack.
A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the
victim unresponsive to legal users. An attacker sends a large number of SYN packets with
forged source addresses to a server. This causes the server to open a large number of
half-open connections and respond to the requests. However, the server will never receive the
expected ACK packets. The server is unable to accept new incoming connection requests
because all of its resources are bound to half-open connections.
•
ACK flood attack.
An ACK packet is a TCP packet only with the ACK flag set. Upon receiving an ACK packet from
a client, the server must search half-open connections for a match.
An ACK flood attacker sends a large number of ACK packets to the server. This causes the
server to be busy searching for half-open connections, and the server is unable to process
packets for normal services.
•
SYN-ACK flood attack.
Upon receiving a SYN-ACK packet, the server must search for the matching SYN packet it has
sent. A SYN-ACK flood attacker sends a large number of SYN-ACK packets to the server. This
causes the server to be busy searching for SYN packets, and the server is unable to process
packets for normal services.
•
FIN flood attack.
FIN packets are used to shut down TCP connections.
A FIN flood attacker sends a large number of forged FIN packets to a server. The victim might
shut down correct connections, or be unable to provide services because it is busy searching
for matching connections.
•
RST flood attack.
RST packets are used to abort TCP connections when TCP connection errors occur.
An RST flood attacker sends a large number of forged RST packets to a server. The victim
might shut down correct connections, or be unable to provide services because it is busy
searching for matching connections.
•
DNS flood attack.
The DNS server processes and replies all DNS queries that it receives.
A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the
bandwidth and resources of the DNS server, which prevents the server from processing and
replying legal DNS queries.
•
HTTP flood attack.
Upon receiving an HTTP GET request, the HTTP server performs complex operations,
including character string searching, database traversal, data reassembly, and format
switching. These operations consume a large amount of system resources.
An HTTP flood attacker sends a large number of HTTP GET requests that exceed the
processing capacity of the HTTP server, which causes the server to crash.
•
ICMP flood attack.
An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast
rate. Because the target host is busy replying to these requests, it is unable to provide services.
•
ICMPv6 flood attack.