What is the purpose of using random IP addresses in SYN Flood Attack?

A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.

SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.


A SYN flood can be more easily detected when the source of the attack is using the same IP address. So if a defender is detecting and able to block this activity you will not have a successful attack. Using random IP addresses as part of a SYN flood makes it much harder to detect and defend against making it more likely to be a successful attack.


You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats). Being unpredictable makes them harder to block.

They are often not completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.

Tags:

Flooding