CCIE Security: SYN Flood Attack - Exam 400-251 | Cisco

SYN Flood Attack

Prev Question Next Question

Question

Which statement about the SYN flood attack is true?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

C.

The SYN flood attack is a type of denial-of-service attack that exploits a weakness in the TCP/IP protocol's three-way handshake process. During a typical TCP connection, the client sends a SYN packet to the server, and the server responds with a SYN-ACK packet. The client then sends an ACK packet to complete the handshake and establish the connection.

In a SYN flood attack, the attacker sends a flood of SYN packets to the targeted server, with spoofed source IP addresses or from a large number of compromised devices. The server responds with a SYN-ACK packet and waits for an ACK packet from the client. However, since the source IP addresses are spoofed or the devices have been compromised, the server never receives the ACK packet, and the connection remains in the SYN-Received state backlog. This backlog can consume server memory and eventually cause the server to become unresponsive to legitimate requests.

Now let's examine each statement to determine which one is true:

A. The SYN flood attack is always directed from valid address. This statement is false. SYN flood attacks can be launched from spoofed or compromised IP addresses, which means they are not always directed from a valid address.

B. The SYN flood attack target is to deplete server memory so that legitimate request cannot be served. This statement is true. The goal of a SYN flood attack is to consume server resources, including memory, and make it difficult or impossible for legitimate requests to be served.

C. The SYN flood attack is meant to completely deplete the TCB SYN-Received state backlog. This statement is true. The SYN flood attack is designed to fill the server's TCB SYN-Received state backlog with half-open connections, consuming server memory and potentially causing the server to crash.

D. The SYN flood attack can be launched for both UDP and TCP open ports on the server. This statement is false. The SYN flood attack specifically targets the TCP protocol's three-way handshake process, so it cannot be launched against UDP ports.

E. SYN-Received state backlog for TCBs is meant to protect server CPU cycles. This statement is false. The SYN-Received state backlog is a mechanism that allows a server to handle a high volume of incoming connection requests while waiting for the three-way handshake to complete. It is not meant to protect server CPU cycles.

In conclusion, the correct statements about SYN flood attacks are B and C. The SYN flood attack aims to deplete server memory so that legitimate requests cannot be served, and it is meant to completely deplete the TCB SYN-Received state backlog.