Let's discuss TCP IP transport layer, TCP connection float, also known as empty connection float. This attack has an interesting concept. This is our famous picture. Here, the attacker exploits the fact that you can open up many connections and just stay idle afterwards. What I mean by that, suppose that we have just one attacker, which is performing a DoS attack in this scenario, not de dos, and it just repeats this cycle. This three way handshake multiple times and for each time, the destination server keeps the connection alive after establishing the three way handshake, and after that, it just waits for the data from the attacker.

However, this user, in our case, the attacker doesn't send in data. He just sends multiple requests like that. Keeping all of them open. So every time Single three way handshake is established, it occupies some CPU and memory resources from the destination server. And when you repeat it multiple times, you just multiply these occupied resources. And this is exactly what the attacker exploits here.

Of course, this can be established in such a DOS fashion, as well as in a DDoS fashion. In other words, multiple attackers simultaneously can perform the same exploitation of destinations resources, which might lead to a denial of service much quicker. And when it comes to detection, First, you need to basically filter for TCP traffic. And then on Wireshark from statistics, you need to check conversations. If you see there. For example, one single IP establishes many TCP connections and afterwards doesn't send them that that's quite likely an attack an empty country.

Attack. And the mitigation is rate controls. We haven't discussed rate controls quite yet. But as you can imagine, it roughly means checking the number of established connections per client. Although you can do it in multiple ways, not just per client. In other words, you can check the rate controls and limit the traffic per for example, source.

Or you can do it per destination, meaning your servers IP and port, or you can do it in a combinational way. You can do it per source and destination. Here, it depends on your needs, and your networks capabilities. Another way is basically simply blacklisting the IPS. But it's not always useful since for example, if one of the IPS that you blocked turns out to be a public IP and IP, let's say it will mean that you just blocked all the users behind that IP. So typically, nobody would like to have that Still, in some scenarios, this is an efficient method, especially when the attacker has its own dedicated IP.

I mean when it's not a public IP, and when you are able to determine the top talkers, by top talkers, I mean the source IPS which generate the most traffic during the attack. We are going to have another separate lecture for rate controls. So I will explain it in more details. But I just wanted to give you a heads up in the section as well, because basically, this is like the number one way to mitigate such attacks.