What is the purpose of using random IP addresses in SYN Flood Attack?












17















What is the purpose of using random IP addresses in SYN Flood Attack?










share|improve this question









New contributor




Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    17















    What is the purpose of using random IP addresses in SYN Flood Attack?










    share|improve this question









    New contributor




    Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      17












      17








      17


      4






      What is the purpose of using random IP addresses in SYN Flood Attack?










      share|improve this question









      New contributor




      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      What is the purpose of using random IP addresses in SYN Flood Attack?







      flooding






      share|improve this question









      New contributor




      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 9 hours ago









      Andy Lester

      31226




      31226






      New contributor




      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked yesterday









      Henok TesfayeHenok Tesfaye

      2028




      2028




      New contributor




      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Henok Tesfaye is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          3 Answers
          3






          active

          oldest

          votes


















          31














          A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.



          SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.






          share|improve this answer

































            5














            SYN flood attack detects when there is an attack with the same IP address. So you will not have a successful attack However if you have a Random IP address to attack then it will not detect anything with the same IP address so you will have a successful attack






            share|improve this answer








            New contributor




            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.




























              3














              You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats).
              Being unpredictable makes them harder to block.



              They are often not random completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.






              share|improve this answer























                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "162"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                noCode: true, onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });






                Henok Tesfaye is a new contributor. Be nice, and check out our Code of Conduct.










                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203193%2fwhat-is-the-purpose-of-using-random-ip-addresses-in-syn-flood-attack%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                31














                A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.



                SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.






                share|improve this answer






























                  31














                  A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.



                  SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.






                  share|improve this answer




























                    31












                    31








                    31







                    A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.



                    SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.






                    share|improve this answer















                    A client opens a TCP connection by sending a SYN packet to a server. The server replies with a single SYN+ACK, and the client responds again with an ACK. Because of natural network latency, the server may wait a short time after sending SYN+ACK to the specified source address for an ACK reply, and this behavior is what a SYN flood exploits. Because the source address was spoofed, the reply will never come. If the server is waiting on enough fake connections that will never be completed, it will become unable to open any new connections, legitimate or not. This condition is called denial of service.



                    SYN flood attacks do not require the attacker receive a reply from the victim, so there is no need for the attacker to use its real source address. Spoofing the source address both improves anonymity by making it harder to track down the attacker, as well as making it more difficult for the victim to filter traffic based on IP. After all, if each packet used the same source address (whether spoofed or not), any decent firewall would quickly begin blocking all SYN packets from that address and the attack would fail.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited 22 hours ago

























                    answered yesterday









                    forestforest

                    35.3k17116123




                    35.3k17116123

























                        5














                        SYN flood attack detects when there is an attack with the same IP address. So you will not have a successful attack However if you have a Random IP address to attack then it will not detect anything with the same IP address so you will have a successful attack






                        share|improve this answer








                        New contributor




                        Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.

























                          5














                          SYN flood attack detects when there is an attack with the same IP address. So you will not have a successful attack However if you have a Random IP address to attack then it will not detect anything with the same IP address so you will have a successful attack






                          share|improve this answer








                          New contributor




                          Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.























                            5












                            5








                            5







                            SYN flood attack detects when there is an attack with the same IP address. So you will not have a successful attack However if you have a Random IP address to attack then it will not detect anything with the same IP address so you will have a successful attack






                            share|improve this answer








                            New contributor




                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.










                            SYN flood attack detects when there is an attack with the same IP address. So you will not have a successful attack However if you have a Random IP address to attack then it will not detect anything with the same IP address so you will have a successful attack







                            share|improve this answer








                            New contributor




                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            share|improve this answer



                            share|improve this answer






                            New contributor




                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            answered 16 hours ago









                            Michale RezeneMichale Rezene

                            513




                            513




                            New contributor




                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.





                            New contributor





                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.






                            Michale Rezene is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.























                                3














                                You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats).
                                Being unpredictable makes them harder to block.



                                They are often not random completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.






                                share|improve this answer




























                                  3














                                  You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats).
                                  Being unpredictable makes them harder to block.



                                  They are often not random completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.






                                  share|improve this answer


























                                    3












                                    3








                                    3







                                    You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats).
                                    Being unpredictable makes them harder to block.



                                    They are often not random completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.






                                    share|improve this answer













                                    You double your traffic by not using your own IP. The response from the victim goes out to the IP you spoofed, who reply with a RST (subject to caveats).
                                    Being unpredictable makes them harder to block.



                                    They are often not random completely random though. They are often chosen to be on the attacked network. Also, as the filters are not that smart, they often get away with only sightly shuffled IPs.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered 20 hours ago









                                    drjpizzledrjpizzle

                                    1312




                                    1312






















                                        Henok Tesfaye is a new contributor. Be nice, and check out our Code of Conduct.










                                        draft saved

                                        draft discarded


















                                        Henok Tesfaye is a new contributor. Be nice, and check out our Code of Conduct.













                                        Henok Tesfaye is a new contributor. Be nice, and check out our Code of Conduct.












                                        Henok Tesfaye is a new contributor. Be nice, and check out our Code of Conduct.
















                                        Thanks for contributing an answer to Information Security Stack Exchange!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203193%2fwhat-is-the-purpose-of-using-random-ip-addresses-in-syn-flood-attack%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Magento 2 controller redirect on button click in phtml file

                                        Polycentropodidae