What Is a TCP Reset Flood DDoS Attack?

A TCP reset flood or RST flood attack is a type of distributed denial-of-service (DDoS) attack that seeks to impair the performance of its targets — whether one or hundreds, and which can include servers, load balancers maintaining the session state (session tables), network hosts, FTP, DNS systems, etc. — by flooding it with massive numbers of Transmission Control Protocol (TCP) reset packets. A reset flood DDoS attack takes advantage of vulnerabilities in the TCP, or in the TCP three-way handshake. These types of TCP misuse attacks are also known as TCP out-of-state (aka TCP OOS) abuse.

A distributed denial-of-service attack is a cyberattack directed at a network, website, server, or another network device. In a DDoS attack , malicious actors attempt to render a network or device unavailable to legitimate users and services by inundating it with malicious traffic. As the device attempts to manage or respond to massive amounts of requests, its processing, memory, and bandwidth resources become exhausted, causing it to slow down or crash. DDoS attacks are carried out with the use of a botnet — a collection of thousands or millions of computers or devices that have been infected with malware, which enables attackers to control them. By directing each device to send large amounts of traffic to a targeted machine, a botnet can generate millions of malicious requests and data packets that can easily overwhelm the target.

TCP enables the communication between two devices, usually a browser and web server, over a network (a TCP connection) or the internet (a TCP/IP connection), and is widely used for communicating and sending data across networks. Typically, when a client device wants to establish a connection with a server, a process known as a three-way handshake takes place. This involves a synchronize sequence number (SYN) packet, a synchronize acknowledgement (SYN-ACK) packet, and an acknowledgement (ACK) packet to establish TCP connections. The TCP RESET option is the means to reset the connection and force the communications to stop and retry again for a new connection. Normally, when the TCP communication is over, the connection is terminated gracefully, where the client and server exchange FIN packets to finish the conversation and ACK packets to acknowledge and close the connection. Attackers abuse this connection process in several ways to launch DDoS attacks.

A reset flood DDoS attack exploits the use of a reset packet, or RST packet, in the TCP protocol. When a device needs to close a TCP connection unexpectedly, it sends a reset packet instructing the other computer to discard any additional packets it receives from the current connection. This is useful when, for example, one computer crashes during a TCP connection and wants to let another computer know the connection is no longer working.

Reset flood DDoS attacks take advantage of this utility by inundating a target server or device with TCP reset messages. Using spoofing methods, attackers make these reset packets appear to come from another machine, causing the target system to terminate ongoing connections. The disruption in connections and the resources required to reestablish them eventually cause the target server to slow down or fail, resulting in a denial of service for legitimate users and network traffic.

Additional DDoS attacks using the TCP include:

• SYN floods. In a SYN flood attack , hackers send large volumes of TCP SYN packets to a single port or every port on a targeted server, possibly using a spoofed IP address. The server attempts to respond to each request with a SYN-ACK packet from each open port and waits to receive the final ACK packet, which never arrives. This keeps connections open, eventually filling the server’s connection session tables and denying service to legitimate requests and clients.

• FIN attacks. Attackers may also inundate a server with fake FIN packets that have no connection to any current session, causing the targeted server to exhaust its resources in comparing packets with current transmissions.

• XMAS attacks. This is when an attacker sends the FIN, PSH, and URG flag options in the packet request. Generally, this is used for scanning, reconnaissance, or mapping during the discovery phase of an attack but has been documented as a DDoS TCP OOS attack.

Security teams can take a number of steps to implement a multilayered approach to mitigating TCP reset attacks.

• Firewalls and ACLs. Firewalls and access control lists may be configured to allow only legitimate traffic, and discard or rate limit suspicious or excessive RST packets. This is very resource intensive on firewalls, and security operators use this in limited capacity due to performance and scaling issues.

• Rate limiting. Rate-limiting mechanisms may restrict the number of RST packets allowed per second from a single source IP address. This can lead to blocking legitimate packets and can cause unnecessary impact to other tools.

• Connection tracking. Connection tracking solutions, aka stateful devices, can monitor and track established TCP connections, making it easier to identify and drop RST packets that do not match existing connections.

• Unicast reverse path filtering (strict mode). Ingress and egress filtering techniques, based on the source IP, can ensure that packets entering or leaving the network have valid connection, preventing the use of spoofed IP addresses. This has limitations based on the size of the connection to the internet.

• Anomaly detection. Intrusion detection/prevention systems (IDS/IPS) may identify abnormal patterns of RST packet traffic, triggering alerts or automatically applying mitigation measures. Being able to scale these technologies to perform this action, along with other key attributes enabled, can be challenging.

• DDoS mitigation services. Network security service providers offer DDoS protection services that can analyze incoming traffic, filter out malicious RST packets, and absorb large DDoS attacks. Mitigating these types of TCP OOS attacks is best done in the cloud, where you have more capacity and distribution.

Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. 

Our end-to-end DDoS and DoS protection solutions provide an all-encompassing approach that serves as the first line of defense. With dedicated edge, distributed DNS, and network cloud mitigation strategies, our anti-DDoS technologies prevent collateral damage and single points of failure to provide our customers with increased resiliency, dedicated scrubbing capacity, and higher quality of mitigation.

App & API Protector  provides a comprehensive set of powerful protections with customer-focused automation. While this solution offers some of the most advanced application security  automation available today, it remains simple to use. A new adaptive security engine and industry-leading core technologies enable DDoS protection, API security , bot mitigation, and a web application firewall in an easy-to-use solution. 

Prolexic  stops DDoS attacks with the fastest and most effective defense at scale. Offering a zero-second SLA for DDoS defense, Prolexic proactively reduces attack services and customizes mitigation controls to network traffic to block attacks instantly. Akamai’s fully managed SOCC complements your existing cybersecurity  programs and will help augment your time to resolution with industry-proven experiences.

Edge DNS prevents DNS outages with the largest edge platform, enabling organizations to count on guaranteed, nonstop DNS availability. A cloud-based solution, Edge DNS ensures 24/7 DNS availability while improving responsiveness and defending against the largest DDoS attacks.