Traditional SYN Flood
The traditional SYN flood is a low bandwidth protocol DDoS attack assigned to deplete the resources on the target. It is accomplished by not completing the normal TCP 3-way handshake. The server appends the half-open connection to its internal connection state table (SYN queue) and then returns with the SYN-ACK. The SYN-ACK continues to the fabricated origin address and is cut. It will not receive the final ACK as it happens in a healthy connection establishment. It sustains the half-open connection state data for a precise timeout. Whenever the initiation of the massive amount of half-open connections happens, the connection state table becomes full. SYN queue will not permit any further communications to the server.
Modern SYN Flood
The modern SYN flood sends the equivalent packets however is considerably offbeat from its traditional antecedent. The significant variation is the number of packets-per-second sent by the intruder. In the traditional SYN flood, it was trivial to fill the connection state table, as it defaulted to just 1024 entries in several network stacks. An intruder could adequately flood the target by sending a few thousand packets per minute. The modern SYN flood generates SYN packets in millions of packets-per-second (PPS). The load balancers, firewalls and other IDS/IPS that manage connection state will use disproportionate CPU and may flood their network state tables. The appropriate sizing for a high volume of tiny SYN packets is not usually happened.
TCP Connection Flood
TCP Connection Flood is a low-bandwidth protocol-DDoS attack that ventures to submerge connection constraints of the target device. It is precise to connection-oriented services such as those using the TCP protocol such as HTTP, HTTPS, SSH, SMTP, so on and so forth. The TCP connection flood is oversimplified, with the client performing the full TCP 3-way handshake to establish a full ESTABLISHED connection. An attacker fills up all the available connection table inputs. Consequently blocking authorised clients from connecting. Since this attack finishes the 3-way handshake, it is not generally spoofed, and the origin IP address is frequently the IP address of a system in a botnet. An indicator of compromise (IoCs) is a high abundance of connections in the ESTABLISHED state in the output of netstat (Linux and Windows).
The SlowLoris and RUDY DDoS intrusions are low bandwidth initiatives that endeavour to consume target connection resources by submitting requests that never terminate. It keeps the connection open indefinitely, slowly exhausting the ability of the target to receive new connections from legitimate clients. What differentiates the SlowLoris/RUDY attacks from an ordinary TCP connection flood is that the connection isn’t idle. The connecting client sends a request so slowly that never completes. It is one of the ways an intruder utilises to evade all the mitigations of the target that operate by closing idle connections.