TCP Ack Flood

TCP Ack Flood

An attacker can flood a server with ACK packets. The server receives so many packets it cannot handle normal traffic.

In a TCP connection, a three-way handshake occurs:

  1. The client sends a SYN packet to start a TCP connection
  2. The server replies with a SYN-ACK packet to accept the TCP connection
  3. The client replies with an ACK packet packet to begin sending data

The SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP.

In addition, ACK packets are sent periodically by a device to acknowledge that packets are received.

Servers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content).

Sample Pcap

Follow the tcpdump guide to record a pcap during an attack to analyze it.

2001:db8::/32 
18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)
a@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*...
18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)
a@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8....
18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)
`.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8....
18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)
a@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e...
18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)
a@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y..
18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)
`.......*..p..b.v....H.?&.d..0.....c..Z.C.<5$.(.....P.@8....
18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)
`.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B..

In the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run:

$ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d
user.fig.ircnow.org

You should contact this user; he may have clues as to who is attacking him. You can then investigate by following the police guide.

How to Block

First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.

Using the packet filter firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf:

ext_ip="2605:6400:30:f8de::/64"
bad_ip="2001:db8::/64"
block drop quick proto {udp tcp} from $bad_ip to $ext_ip

See Also

DDoS Defense