A security analyst notices that an internal web server is receiving a high volume of TCP SYN packets from a single external IP address, but the server is not sending SYN-ACK replies. The server's CPU and memory usage are normal. What is the most likely cause?
Trap 1: A firewall rule is blocking inbound SYN-ACK packets
Firewalls typically block inbound SYNs, not SYN-ACKs; the issue is the server not sending SYN-ACKs.
Trap 2: The server's TCP/IP stack has crashed
A crash would show abnormal CPU/memory usage, which is normal here.
Trap 3: The server is experiencing a distributed denial-of-service (DDoS)…
A DDoS involves multiple sources, but here only one IP is mentioned.
- A
A firewall rule is blocking inbound SYN-ACK packets
Why wrong: Firewalls typically block inbound SYNs, not SYN-ACKs; the issue is the server not sending SYN-ACKs.
- B
The server is under a SYN flood attack, filling the connection queue
SYN flood attacks fill the server's half-open connection queue, preventing it from sending SYN-ACKs.
- C
The server's TCP/IP stack has crashed
Why wrong: A crash would show abnormal CPU/memory usage, which is normal here.
- D
The server is experiencing a distributed denial-of-service (DDoS) attack
Why wrong: A DDoS involves multiple sources, but here only one IP is mentioned.