ZyXEL Communications ZYWALL USG 2000 Manual page 537

Chapter 31 ADP
ICMP echo request packet to all hosts on the network. If there are numerous
hosts, this will create a large amount of ICMP echo request and response traffic.
If an attacker (A) spoofs the source IP address of the ICMP echo request packet,
the resulting ICMP traffic will not only saturate the receiving network (B), but the
network of the spoofed source IP address (C).
Figure 368 Smurf Attack
TCP SYN Flood Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server.
The receiver returns an ACK (acknowledgment) packet and its own SYN, and then
the initiator responds with an ACK (acknowledgment). After this handshake, a
connection is established.
Figure 369 TCP Three-Way Handshake
A SYN flood attack is when an attacker sends a series of SYN packets. Each packet
causes the receiver to reply with a SYN-ACK response. The receiver then waits for
the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses
on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes
back or when an internal timer ends the three-way handshake. Once the queue is
537
ZyWALL USG 2000 User's Guide