TCP's design prioritizes reliable delivery over security. The three-way handshake creates state tables that can be exhausted, and the predictable nature of sequence numbers can allow attackers to hijack established sessions.
In a SYN flood, the attacker sends thousands of SYN packets but never completes the handshake with an ACK. The server keeps half-open connections in memory until resources are depleted, causing a Denial of Service.
💡 Pro-tip: SYN cookies mitigate this by encoding the connection state into the initial sequence number, eliminating the need for the server to allocate memory until the handshake is fully verified.
While Nmap uses a SYN scan for stealthy reconnaissance, attackers scale this exact mechanism using tools like hping3 to overwhelm the target's TCP stack.
If an attacker can predict the TCP sequence numbers used by a server, they can forge packets that the server will accept as part of an legitimate, authenticated stream, effectively taking over the session.
⚠️ Never rely solely on IP-based authentication for internal services. TCP session hijacking bypasses IP checks entirely by injecting packets into an existing trusted stream.
| Attack | Mechanism | Mitigation |
|---|---|---|
| SYN Flood | Half-open connections | SYN Cookies / Rate Limiting |
| Hijacking | Seq Prediction | Cryptographic Seq / TLS |
| RST Attack | Forged Reset | TCP Authentication Option |
Verify exercises to earn ★ 130 XP and unlock next lab level.