Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?
In a SYN flood attack, an attacker sends a large number of SYN (synchronize) packets to a target server, typically with spoofed IP addresses. The server responds with SYN-ACK (synchronize-acknowledge) packets and waits for the final ACK packet of the handshake that never arrives. This leads to multiple half-open connections, consuming server resources and causing it to become unresponsive. Wireshark will show multiple SYN requests and SYN-ACK responses from single or multiple IP addresses, indicating a SYN flood attack.
C. Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es) In a SYN flood attack, the attacker sends a large number of SYN (synchronization) requests to a target server, often with spoofed IP addresses, in an attempt to overwhelm the server's resources and cause it to become unresponsive. When analyzing traffic using Wireshark, you might notice multiple SYN requests followed by RST (reset) responses. This is because the target server sends RST responses to the incoming SYN requests to indicate that it is not able to establish a full connection due to the flood of incoming SYN requests. This behavior is a characteristic sign of a SYN flood attack.
https://kb.mazebolt.com/knowledgebase/rst-syn-flood/
SYN flooding is a type of Denial-of-Service (DoS) attack in which the attacker sends large number of SYN packets repeatedly to the target server using multiple spoofed IP addresses that never return an ACK packet, thus keeping the server busy and rendering it unresponsive
The malicious entity sends a barrage of SYN requests to a target server but intentionally avoids sending the final ACK. This leaves the server waiting for a response that never comes, consuming resources for each of these half-open connections.