But SYN floods are easily detected and deflected by all modern firewalls. If a handshake doesn’t complete within a certain time interval, the SYN is discarded.
Many DDOS attacks are full-fledged TCP sessions. The zombies are used to simulate legitimate users, and because they’re coming from thousands of legitimate IP addresses sending what looks like completely normal traffic (e.g. HTTP queries) they are difficult to distinguish from real clients systems. There are of course unicast DDOS attacks prosecuted over UDP or ICMP. The majority I’ve seen, however, are TCP. In any event, I think it’s not useful to misuse the term DDoS, and that it refers to any attack where the source addresses are distributed across the Internet, making them difficult to identify and therefore block. -mel > On Aug 3, 2015, at 6:00 AM, Stephen Satchell <l...@satchell.net> wrote: > > On 08/03/2015 05:40 AM, Mel Beckman wrote: >> What would be the point of spoofing the source IPs to be identical? >> You're just making the attack trivial to block. Plus you could never >> do any kind of TCP session attack, since you can't complete a >> handshake. I would have to call this sort of attack a LAAADDoS (Lame >> Attempt At A DDoS).:) > > Reflection attack as a secondary goal against the spoofed source IP? Primary > goal would be a SYN flood of many servers.
