Now let's talk a little bit about ACC float. In fact, in the way it's implemented, it is not that different than Simplot. The difference is it uses another flag in the TCP header, which is as you can see the ACC flag. And the methodology is quite similar to SYN floods. Here, instead of first sending SYN packets, the attacker just sends constantly ack packets, obviously, all those ack packets are out of band. Now what they mean by out of band here, as you can see, this act packet, for instance, is in the band, because it is part of a proper three way handshake, meaning first sentence, then synack receipt, and then I get sent.

And this procedure is tracked by what is called the sequence numbers and acknowledge numbers in the TCP header. If you don't know what these are If you don't know what a sequence number is, or what an acknowledged number is, I encourage you to go back and review your knowledge on TCP. Here in case of a neck flood, neither of those numbers are followed in order. Basically, the attacker keeps sending x with some random acknowledge number and sequence number. And when it comes to detection, this is more or less what you would see on Wireshark. As you can see, you will encounter multiple entries for the same TCP packets.

And when you investigate the packets, you will find out that as per the flex on the ACC is set. Meanwhile, I would like to also mention that this methodology this attack methodology can be implemented with SYN ack packets as well. In other words, in this example, in the screenshot, you see only act flood, but same attack could be performed or your synack float as well in Case The only difference would be under the flags sin would be also set. And when it comes to the proper filters, the most straightforward one is basically setting the x equals one. Although this would include all the packets with AK. In other words, it would include, for example, Phoenix or sin x as well.

Another thing you could try, although the efficiency is not always guaranteed, is using this filter, meaning TCP analysis applique tech, that will work if the attacker is using exactly the same act packets basically. However, if the attacker is clever enough to send different act packets with different sequence numbers and different IDs, then this filter will not work. Now as per the mitigation, it's hard to actually apply in the challenges because these packets are out of band anyway. So So you cannot challenge a packet knowing that you know, it is an illegitimate traffic anyway. Instead, what you need to do is on firewall check out of the state tech and SYN ack packets. And actually, although it's not stated here, you can also include FinEx and other packets, which include that.

Basically, what you need to do is ensure that at your firewall, you configure it in such a way that all the packets all the ack packets which are out of the band are blocked, before reaching to the server. In the following lectures, I will also talk about the combination of the flex that we discussed. In fact, it's not only limited to ACC, as you can imagine, there are so many flags in TCP and attackers can and they usually do exploit all of them as well as their combinations. In the following lectures, I will be talking about these combinations and basically how to make To get them