Incident Report: SYN Flood Attack

Section 1: Identification of attack

Analysis of the Wireshark TCP/HTTP logs indicates that the downtime was caused by a malicious TCP SYN flood attack from IP address 203.0.113.0. While normal requests from authorized users were still observed, the logs show a growing volume of SYN packets from the attacker, eventually saturating server connection slots and causing service interruption.

Section 2: Explanation of malfunction

TCP Three-Way Handshake Explained

1. SYN (Synchronize) – The client (device) sends a SYN packet to the server, requesting to start a TCP connection.
2. SYN-ACK (Synchronize-Acknowledge) – The server responds with a SYN-ACK packet, acknowledging the client’s request and signaling readiness to establish the connection.
3. ACK (Acknowledge) – The client sends an ACK packet back to the server, completing the handshake and opening the TCP connection for data transfer.

Effect of SYN Flood

A high volume of SYN packets from the attacker occupies the server’s half-open connection table, preventing legitimate TCP handshake requests from completing. This resource exhaustion can result in denial of service for legitimate users.

Log Analysis

Log analysis confirms that the attacker’s SYN packets from 203.0.113.0 prevented legitimate TCP connections from completing, leading to temporary service unavailability.

Associated Logs / Spreadsheet

Download or view the associated TCP/HTTP log spreadsheet: View Spreadsheet