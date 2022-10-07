Protocol attacks target the network layer (layer 3) and the transport layer (layer 4) of the OSI model. They aim to overwhelm critical network resources, such as firewalls, load balancers, and web servers, with malicious connection requests.

Common protocol attacks include:

SYN flood attacks. A SYN flood attack takes advantage of the TCP handshake, the process by which two devices establish a connection with one another.

In a typical TCP handshake, one device sends a SYN packet to initiate the connection, the other responds with a SYN/ACK packet to acknowledge the request, and the original device sends back an ACK packet to finalize the connection.

In a SYN flood attack, the attacker sends the target server a large number of SYN packets with spoofed source IP addresses. The server sends its response to the spoofed IP address and waits for the final ACK packet. Because the source IP address was spoofed, these packets never arrive. The server is tied up in a large number of unfinished connections, leaving it unavailable for legitimate TCP handshakes.

Smurf attacks. A smurf attack takes advantage of the Internet Control Message Protocol (ICMP), a communication protocol used to assess the status of a connection between two devices. In a typical ICMP exchange, one device sends an ICMP echo request to another, and the latter device responds with an ICMP echo reply.

In a smurf attack, the attacker sends an ICMP echo request from a spoofed IP address that matches the victim’s IP address. This ICMP echo request is sent to an IP broadcast network that forwards the request to every device on a given network. Every device that receives the ICMP echo request — potentially hundreds or thousands of devices — responds by sending an ICMP echo reply back to the victim’s IP address, flooding the device with more information than it can handle. Unlike many other types of DDoS attacks, smurf attacks do not necessarily require a botnet.