During a network forensic investigation, an analyst examines a pcap file and finds multiple TCP SYN packets sent to a target IP on port 80, each from a different source IP address. No SYN-ACK packets are returned, but the target continues to send SYN-ACK responses for earlier packets. What attack is MOST likely occurring?
Multiple SYN packets from varied sources, no subsequent ACKs, and target still responding indicate SYN flood.
Why this answer
A SYN flood attack sends many SYN packets without completing the handshake, exhausting the target's connection queue. The different source IPs indicate a distributed SYN flood or IP spoofing.