# TCP Ack Flood ## TCP Ack Flood An attacker can flood a server with ACK packets. The server receives so many packets then it cannot handle normal traffic. In a TCP connection, a three-way handshake occurs: # The client sends a SYN packet to start a TCP connection # The server replies with a SYN-ACK packet to accept the TCP connection # The client replies with an ACK packet packet to begin sending data The SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP. In addition, ACK packets are sent periodically by a device to acknowledge that packets are received. Servers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content). ## Sample Pcap Follow the [tcpdump](/openbsd/tcpdump) guide to record a pcap during an attack to analyze it. 2001:db8::/32 18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246) a@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*... 18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245) a@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8.... 18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236) `.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8.... 18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246) a@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e... 18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245) a@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y.. 18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236) `.......*..p..b.v....H.?&.d..0.....c..Z.C.<5$.(.....P.@8.... 18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237) `.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B.. In the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run: $ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d user.fig.ircnow.org You should contact this user; he may have clues as to who is attacking him. You can then investigate by following the [police guide](/openbsd/police). ## How to Block First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. Using the [packet filter](/openbsd/pf) firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf: ext_ip="2605:6400:30:f8de::/64" bad_ip="2001:db8::/64" block drop quick proto {udp tcp} from $bad_ip to $ext_ip ## See Also [DDoS Defense](/openbsd/Ddos)