ZyXEL Communications ZyWALL USG 300 User Manual page 559

Chapter 32 ADP
ICMP echo request packet to all hosts on the network. If there are numerous
hosts, this will create a large amount of ICMP echo request and response traffic.
If an attacker (A) spoofs the source IP address of the ICMP echo request packet,
the resulting ICMP traffic will not only saturate the receiving network (B), but the
network of the spoofed source IP address (C).
Figure 397 Smurf Attack
TCP SYN Flood Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a
server. The receiver returns an ACK (acknowledgment) packet and its own SYN,
and then the initiator responds with an ACK (acknowledgment). After this
handshake, a connection is established.
Figure 398 TCP Three-Way Handshake
A SYN flood attack is when an attacker sends a series of SYN packets. Each packet
causes the receiver to reply with a SYN-ACK response. The receiver then waits for
the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses
on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes
back or when an internal timer ends the three-way handshake. Once the queue is
559
ZyWALL USG 300 User's Guide