Figure 343 Tcp Three-Way Handshake; Figure 344 Syn Flood - ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual

30.8.2.3 TCP SYN Flood Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server. The
receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator
responds with an ACK (acknowledgment). After this handshake, a connection is established.

Figure 343 TCP Three-Way Handshake

A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the
receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows
the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are only moved off the queue when an ACK comes back or when an internal timer ends
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN
requests, making the system unavailable for other users.

Figure 344 SYN Flood

30.8.2.4 LAND Attack
In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address
of the network itself. This makes it appear as if the computers in the network sent the packets
to themselves, so the network is unavailable while they try to respond to themselves.
ZyWALL USG 300 User's Guide
Chapter 30 ADP
453