Figure A-1 Three-Way Handshake; Figure A-2 Syn Flood - ZyXEL Communications ZYWALL IDP 10 User Manual

ZyWALL IDP10 User's Guide
creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled
at the destination, some systems will crash, hang, or reboot.
A.3.4 SYN Attack
This attack is executed during the handshake that initiates a communication session between two
applications.

Figure A-1 Three-Way Handshake

Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet
to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN,
and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is
established.
A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted
system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the
SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which
is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the
system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

Figure A-2 SYN Flood

A.3.5 LAND Attack
In a LAND attack, hackers flood SYN packets into the network with a spoofed source IP address of
the targeted system. This makes it appear as if the host computer sent the packets to itself, making the
system unavailable while the target system tries to respond to itself.
A-2 Introduction to Intrusions