Products
Edge AI
AI Training
GPU Cloud
GPU CloudBoost AI/ML training with servers powered by NVIDIA
AI Inference
Inference at the Edge
Inference at the EdgeAccelerate your ML model inference for fast global performance
AI Applications
Image Generator
Image GeneratorCreate realistic and stunning images with ease
Speech-to-Text Translator
Speech-to-Text TranslatorTranslate from English to Luxembourgish seamlessly
Edge Cloud
Compute
Basic VMs
Basic VMsManage workloads on affordable shared virtual servers
Virtual Machines
Virtual MachinesRun apps on customizable dedicated virtual servers
Bare Metal
Bare MetalDeploy apps on powerful dedicated physical servers
Containers
Managed Kubernetes
Managed KubernetesDeploy, manage, and scale Kubernetes clusters easily
Container as a Service
Container as a ServiceRun containerized apps without server provisioning
Function as a Service
Function as a ServiceExecute serverless code functions efficiently
Networking
Load Balancer
Load BalancerRoute traffic optimally to improve app performance
5G Network
5G NetworkDeploy apps and securely connect mobile devices via 5G
Virtual Private Cloud
Virtual Private CloudManage resources in a secure isolated private cloud
Hosting
Virtual Servers
Virtual ServersHost on virtual servers with no traffic restrictions
Dedicated Servers
Dedicated ServersHost on physical servers with worldwide availability
Storage
Object Storage
Object StorageStore data in fast and scalable S3-compatible storage
File Shares
File SharesShare files across servers easily using NFS protocol
Databases
Managed PostgreSQL
Managed PostgreSQLProvision fully managed PostgreSQL databases with ease
Monitoring
Managed Logging
Managed LoggingCollect, store, and analyze application logs
About Edge Cloud
Edge Network
Application Performance
CDN
CDNAccelerate dynamic and static content delivery
FastEdge
FastEdgeDeploy serverless apps with low-latency edge computing
Media Delivery
Video Streaming
Video StreamingDeliver high-quality live and on-demand video at scale
DNS
Managed DNS
Managed DNSEnsure application availability with authoritative DNS
Public DNS
Public DNSProtect online privacy with a free DNS resolver
About Edge Network
Edge Security
Network Security
DDoS Protection
DDoS ProtectionProtect your infrastructure from evolving DDoS attacks
Application Security
Web Application Security
Web Application SecuritySafeguard web resources against attacks and threats
WAAP
WAAPSecure apps and APIs from DDoS, bots and OWASP attacks
Solutions
By Industry
Gaming
CDN for Gaming
Game Server Protection
Game Development
Retail
CDN for E-commerce
Media & Entertainment
CDN for Video
Metaverse Streaming
TV & Online Broadcasters
Sport Broadcasting
Online Events
Financial Services
Cloud for Financial Services
Technology
Image Optimization
Web Acceleration
Wordpress CDN
Education
Online Education
By Need
Web Acceleration
Web Acceleration
Image Optimization
Wordpress CDN
Security
Game Server Protection
Video Streaming
CDN for Video
Video Hosting
Live Streaming
Availability
Multi-CDN
Cloud
Web Service
Game Development
Online Store
Migration to the Cloud
ERP in the Cloud
Pricing
Resources
Resources
Blog
Customer Stories
White Papers
Events
Documentation
Docs
API
Product Roadmap
Help Center
Tools
Looking Glass
Speed Test
Developer Tools
Gcore Status
Partners
Partners
Intel
Intel | New CPU Generation
Intel | Ice Lakes
Hesp
Equinix
InData Labs
Ampere
Unum
Programs
White Label Program
Referral Program
Why Gcore
Company
About Gcore
Press
Awards
Careers
Platform
Network
Infrastructure
Internet Peering Points
Compliance
Legal Information
Under attack?Under attack?
en
Contact usContact us
Contact us

Select the Gcore Platform

Recommended
Gcore Edge Solutions Go to Gcore Platform → Go to Gcore Platform →

Products:

  • Edge Delivery (CDN)
  • DNS with failover
  • Virtual Machines
  • Bare Metal
  • Cloud Load Balancers
  • Managed Kubernetes
  • AI Infrastructure
  • Edge Security (DDOS+WAF)
  • FaaS
  • Streaming
  • Object Storage
  • ImageStack (Optimize and Resize)
  • Edge Compute (Coming soon)
Show full list
Gcore Hosting Go to Gcore Hosting →
  1. Home
  2. Learning
  3. What Is TCP DDoS Protection? | How Does It Work?

What Is TCP DDoS Protection? | How Does It Work?

June 4, 2024 6 min read
What Is TCP DDoS Protection? | How Does It Work?

TCP DDoS (distributed denial-of-service) attacks pose a significant threat to network infrastructure. They exploit vulnerabilities in the TCP protocol to overwhelm servers and disrupt legitimate traffic. This article explains the mechanics of TCP DDoS attacks, their potential impact, and effective strategies for prevention and mitigation. We’ll explore different types of TCP DDoS attacks, such as SYN floods and ACK floods, and discuss how to safeguard your systems against these threats using techniques like SYN cookies, traffic filtering, and load balancing.

What Is a TCP DDoS Attack?

A TCP DDoS attack (Transmission Control Protocol distributed denial-of-service) is a type of cyberattack that targets the TCP protocol, a fundamental communication protocol used in networked systems. DDoS attacks aim to disrupt normal traffic on a network by overwhelming it with a flood of malicious traffic.

In a TCP DDoS attack, the attacker uses multiple compromised devices, often referred to as a botnet, to send a huge number of packets (small units of data) to a target network or server. The goal is to overload the network components, making them unable to handle legitimate requests from real users.

In order to sink a network service in the number of forged requests, the attacker uses a botnet of compromised devices
The principle of a DDoS attack

TCP is widely used for internet communications, including web browsing and email, but it wasn’t originally designed with robust security features. This lack of built-in security makes it vulnerable to exploitation. Hackers can send different types of TCP packets to execute their attacks. To understand this, let’s examine how TCP normally functions and what happens during a DDoS attack in the three most common TCP attack methods.

How Does a TCP DDoS Attack Work?

When a device, like your computer, wants to connect to a server, such as a website, it follows a three-step process known as the TCP handshake.

TCP uses a three-stage process
How TCP normally works

Each type of TCP DDoS attack (SYN flood, SYN-ACK flood, and ACK flood) targets a different stage of this handshake. By overwhelming the server at each stage, the attacker disrupts the handshake process, causing downtime and service disruption for legitimate users.

Let’s look at how TCP works and how different types of attacks exploit each stage.

Initiating the Connection: SYN Flood

  • Normal process: Your device sends a SYN packet to the server to request a connection.
  • SYN flood attack: The attacker sends a massive number of SYN packets to the server, pretending to request connections. The server tries to respond to each request by sending SYN-ACK packets. However, since the attacker never completes the handshake, the server is left waiting with numerous half-open connections, consuming its resources and making it unable to handle legitimate requests.

In an SYN flood attack, the attacker can use their own resources to send the requests or use TCP/IP hijacking to spoof legitimate IP addresses, making the malicious requests appear genuine. The spoofed systems do not respond to the SYN-ACK packets because they are unaware of the SYN packets sent on their behalf. Even though the server eventually drops these half-open connections, the sheer volume can exceed the server’s capacity, rendering it unresponsive to real clients.

The hacker exhausts a server’s resources by sending SYN packets and ignoring SYN-ACK messages, thus, leaving the server in waiting, wasting its resources and making it unavailable to legitimate users
How a SYN flood attack works

Acknowledging the Request: SYN-ACK Flood

  • Normal process: The server receives the SYN packet and responds with a SYN-ACK packet to acknowledge the connection request.
  • SYN-ACK flood attack: The attacker sends a large number of SYN-ACK packets to the server without any corresponding SYN requests. The server has to process these unexpected packets, which uses up its resources and disrupts its ability to function properly.

A SYN-ACK flood leverages an unusual approach by sending SYN-ACK packets to the server. Even though they are not part of a legitimate handshake, these packets must be processed, and a significant number of such packets can cause server-side disruptions.

Completing the Handshake: ACK Packets

  • Normal process: Your device responds to the server’s SYN-ACK packet with an ACK packet, completing the handshake and establishing the connection.
  • ACK flood attack: The attacker sends a flood of ACK packets to the server. These packets look like legitimate responses, so the server spends its resources processing them. This overwhelms the server, making it difficult for it to handle actual connections from real users.

An ACK flood exploits the TCP function for data delivery acknowledgment. When a client receives the requested data, it sends an ACK message to inform the server that the data was successfully received. Attackers take advantage of this by sending a large number of forged ACK packets, which look identical to legitimate ones. This overwhelms the server, as it cannot distinguish between real and fake ACK messages, leading to resource exhaustion and service disruption.

What Damage Can a TCP DDoS Attack Cause?

A successful TCP DDoS attack overwhelms the target server with fake requests, rendering the server unavailable to real users and the services relying on it. The duration of the downtime and the criticality of the affected services can result in significant financial losses and reputational damage for the business. Unprotected businesses lose an average of $6,000 per minute during a DDoS attack. The unavailability of an online banking service or a medical institution can cause real distress and disruption with serious consequences for customers.

DDoS attacks can also act as a diversion for the target company’s IT and security teams, acting as a smokescreen for other malicious activities. While the incident response team is focused on restoring the attacked server’s performance, hackers might exploit the distraction to carry out phishing attempts or other attacks on sensitive information stored on the server.

How to Prevent TCP DDoS Attacks

When an attack succeeds, it’s already too late to prevent it. Therefore, the best tactics against all kinds of DDoS attacks are defensive measures.

One option is to use a comprehensive third-party DDoS mitigation service, like Gcore DDoS Protection, and leave it to the specialists. We recommend this approach, as using a robust, proven protection service is usually the most convenient and effective strategy.

Alternatively, you can attempt to apply prevention mechanisms yourself. For TCP DDoS attacks, these include the following:

  • SYN cookies: Protect against SYN flood attacks by adding a special value to SYN-ACK packets. The server will only restore the connection if this value is returned in the client’s ACK message, preventing half-open connections from consuming resources.
  • Filtering and blocking: Identify and block traffic from irrelevant sources or patterns that seem suspicious.
  • Blocking unused ports: Reduce the potential attack surface by closing ports that aren’t in use.
  • Rate limiting: To prevent overload, set thresholds for the amount of traffic the server can handle, including the number of SYN requests.
  • Load balancing and redundancy: Distribute traffic using load balancers and have backup servers ready to handle increased traffic volumes.
  • Caching and CDNs: Use caching and content delivery networks to minimize the resources needed to handle repetitive requests.

However, following best security practices doesn’t eliminate the risk of an attack entirely, so it’s also important to monitor traffic for spikes and analyze such spikes for anomalies in order to react promptly in case of an attack. If you’re undertaking DDoS mitigation yourself, this will involve some manual processes. Third-party providers will analyze traffic on your behalf, and some—like Gcore—offer real-time visibility into traffic so you can watch DDoS attacks being stopped as they happen.

Thwart Attackers with Gcore DDoS Protection

Our global network of scrubbing centers is engineered to keep your business operational during a DDoS attack. Your customers will experience uninterrupted functionality even during a DDoS attack, no matter the type. Gcore scrubbing centers are equipped with backup copies of critical systems and network equipment, underscoring our dedication to providing continuous service and robust security.

Gcore DDoS Protection offers businesses the following benefits:

  • Robust infrastructure: With over 148 Tbps of network capacity and a global network that’s constantly learning from millions of internet properties, Gcore protects you against the largest and most sophisticated attacks.
  • Proprietary DDoS protection solution: Tailored specifically to ward off a broad spectrum of DDoS threats.
  • Detection of low-frequency attacks from the first query: Even the most subtle attacks are detected.
  • Exceptionally low false-positive rate (less than 0.01%): Maintains normal operations by accurately distinguishing between legitimate traffic and attack vectors.
  • Real-time statistics in the control panel: Offers immediate insights into traffic patterns and potential threats, allowing for swift action.
  • Server protection in your data center: Extends Gcore’s protective measures directly to your infrastructure through a Generic Routing Encapsulation (GRE) tunneling protocol, regardless of location.
  • 24/7, highly qualified technical support: Ensures that expert help is always on hand, day or night, to address any concerns or attacks.
  • Exceptional uptime rate with 99.99% SLA: A seamless and uninterrupted user experience backed up by Tier III and IV data centers.

Conclusion

DDoS attacks, including various kinds of TCP attacks, are still a real threat to online services and can cause real damage to businesses. Preparing for the attacks in advance, however, can help to mitigate their consequences or avoid losses completely.

Experience the peace of mind that comes with advanced protection with Gcore DDoS Protection for comprehensive security against DDoS attacks. With over 1 Tbps of total filtering capacity and a 99.99% SLA, your digital assets remain protected from even the most complex, sophisticated, and sustained attacks. Gcore helps to maintain the continuity of your online services, regardless of potential attackers’ motivations.

Explore Gcore DDoS Protection

Table of contents

Try Gcore DDoS Protection

Related articles

What Is WebAssembly (Wasm)?
What Is WebAssembly (Wasm)?
WebAssembly (Wasm) is transforming web development by enabling high-performance applications in web browsers. Key benefits of Wasm include near-native performance, low overhead, and high portability, making it suitable for diverse applications from gaming and machine learning to IoT and edge computing. This article will explore how Wasm works, its benefits, […]
June 25, 2024 7 min read
What Is Brotli Compression? | How Does It Work?
What Is Brotli Compression? | How Does It Work?
Data compression is essential in today’s data-driven environment since it makes data storage cheaper and data transfer quicker. In 2015, Google introduced Brotli, an open-source, lossless data compression algorithm. The Brotli algorithm offers higher compression ratios, faster speeds, and more efficient memory usage than other popular compression algorithms. Let’s take […]
June 18, 2024 3 min read
What Is Edge Artificial Intelligence? How Does Edge AI Work?
What Is Edge Artificial Intelligence? How Does Edge AI Work?
Edge artificial intelligence (edge AI) refers to the deployment of AI algorithms close to the data source or user. This approach allows data processing and inference to occur without relying on central cloud servers, resulting in faster and more efficient AI inference and lower latency for end users. Keeping data […]
June 17, 2024 5 min read
Real-World Applications of AI Inference at the Edge: Transforming Industries
Real-World Applications of AI Inference at the Edge: Transforming Industries
AI inference at the edge (IatE) runs artificial intelligence on edge points of presence, close to where data is used. This speeds up data processing for faster results for your end users. In this article, we’ll explore how inference at the edge is reshaping gaming, media and entertainment, technology, and […]
June 14, 2024 5 min read
How to Detect and Stop Bad Bots
How to Detect and Stop Bad Bots
A bot, short for “robot,” is a software program that can perform tasks automatically, quickly, and efficiently. Both good bots and bad bots exist; Googlebot facilitates web page indexing, but LizardStresser orchestrates DDoS attacks. Because good and bad bots share certain traits, distinguishing between them can be tricky unless the […]
June 11, 2024 7 min read
What Is the OSI Model? | How Does It Work?
What Is the OSI Model? | How Does It Work?
The Open Systems Interconnection (OSI) model is the foundational framework for network communication. It provides a common language across its seven layers, helping businesses develop and maintain compatible network systems. This article explains the OSI model and highlights its importance for IT professionals and businesses. What Is the OSI Model? […]
June 3, 2024 5 min read
Complete Guide to Configuring Kubernetes Cluster Auto-Healing Set Up
Complete Guide to Configuring Kubernetes Cluster Auto-Healing Set Up
Many organizations and even small startups now find maintaining healthy Kubernetes clusters important to enhance the reliability and performance of their applications. A key feature, Kubernetes Cluster Auto-Healing, actively detects and resolves issues to keep your clusters resilient and minimize downtime. So, how do you implement auto-healing? We’ll discuss this […]
May 17, 2024 6 min read
Understanding AI as a Service (AIaaS): Exploring Its Types and Applications
Understanding AI as a Service (AIaaS): Exploring Its Types and Applications
Artificial Intelligence as a Service (AIaaS) is revolutionizing how businesses access and utilize AI technologies. By offering scalable, cloud-based solutions, AIaaS eliminates the need for substantial upfront investments, making advanced AI capabilities accessible to companies of all sizes. AIaaS provides various tools to enhance operations, drive innovation, and improve decision-making, […]
May 15, 2024 9 min read

Subscribe to our newsletter

Stay informed about the latest updates, news, and insights.