A SYN flood attack is a denial-of-service (DoS) attack that renders a server unavailable to legitimate traffic by using up all of its resources. Also known as a “half-open attack,” threat actors repeatedly send initial connection requests or SYN packets to overwhelm all the available ports on the target server, causing it to respond to legitimate traffic slowly or not at all.

You can compare it to an intersection where only one of the crisscrossing streets allows vehicles to pass through while the other street fills up with vehicles that wish to cross to the other side.

Read More about a SYN Flood Attack

A SYN flood attack exploits the handshake process of a Transmission Control Protocol (TCP) connection. The handshake process establishes a TCP connection between a system and the target server, allowing the device user to communicate with the server.

How Does a SYN Flood Attack Work?

A SYN flood attack requires threat actors to perform these steps:

  1. The attackers send a high volume of SYN packets to the target server, often using spoofed IP addresses.
  2. The server responds to each connection request, leaving a port open to receive a response.
  3. As the server waits for the final acknowledgement or ACK packet that never arrives, the threat actors continue to send more SYN packets. Each new arriving SYN packet prods the server to maintain a new open port connection for a certain length of time. Once all the available ports have been used, the server can’t function normally.

Here’s a diagram to demonstrate the SYN flood attack process.

How Does a SYN Flood Attack Work

What Are the Kinds of SYN Flood Attacks?

SYN flood attacks can occur in three ways, namely:

  • Direct attack: This SYN flood attack doesn’t require IP address spoofing. Threat actors don’t mask their IP addresses, making them highly vulnerable to discovery and mitigation. To overwhelm the target server, the hackers prevent their systems from responding to the server’s SYN-ACK packets, often via firewall rules that stop outgoing packets apart from SYN packets or filter out incoming SYN-ACK packets before they reach their machines. This method is rarely used since mitigation is pretty straightforward—the victim just blocks the attackers’ IP addresses.
  • Spoofed attack: Threat actors spoof the IP addresses on SYN packets sent to inhibit mitigation and mask their identities. Note, though, that while they use spoofed packets, these can still be traced back to their source. That’s hard to do but not impossible, especially if Internet service providers (ISPs) are willing to help.
  • Distributed DoS (DDoS) attack: This SYN flood attack uses a botnet, making it untraceable. For even better obfuscation, attackers also spoof the senders’ IP addresses. This kind is the SYN flood attack we depicted in the diagram above.

How Can Users Defend against SYN Flood Attacks?

While SYN flood attackers can be hard to identify and consequently catch, SYN flood attacks can be prevented through the following ways:

  • Increase the backlog queue: Every operating system (OS) only allows a limited number of half-open connections. To defend against SYN flood attacks, potential victims can increase the maximum number of possible half-open connections the OS will allow. But to do that, the system must reserve additional memory resources to deal with all new requests. It may perform slower if it doesn’t have enough memory to handle the increased backlog queue size, but that’s still better than suffering a DoS.
  • Recycle the oldest half-open TCP connection: Another strategy is to overwrite the oldest half-open connection once the backlog is full. That requires fully establishing legitimate connections in less time than filling the backlog with malicious SYN packets. Note, though, that this defense can fail when the attack volume increases or if the backlog size is too small to be practical.
  • Use SYN cookies: Configuring the server to create cookies can help users avoid the risk of dropping connections when the backlog is full. That way, the server can respond to each connection request with a SYN-ACK packet but drop the SYN request from the backlog, removing it from memory and leaving the port open and ready to make a new connection. While this effort could result in lost information about the TCP connection, it’s better than allowing a DoS to occur.

The threat actors behind a SYN flood attack may be hard to pinpoint, but they aren’t unstoppable.

Key Takeaways

  • A SYN flood attack is a DoS attack that renders a server unavailable to legitimate traffic by using up all of its resources.
  • There are three kinds of SYN flood attacks, namely, direct, spoofed, and DDoS attacks.
  • Users can prevent SYN flood attacks by increasing a server’s backlog queue capacity, configuring the server to recycle the oldest half-open TCP connection, and using SYN cookies.