SYN flood attack

  • Fabian Sinner
  • November 10, 2023

Table of content

    SYN flood attack

    A SYN flood attack is a form of Denial of Service (DoS) attack in which the attacker attempts to disable a server or network by overloading it with SYN packets. This attack uses a feature of the TCP handshake, the method by which network devices establish a connection for communication.

    What is a SYN Flood (DDoS) attack?

    To understand how a SYN flood attack works, it is important to know the normal TCP handshake process, which has three steps:

    1. SYN: The client sends a SYN (Synchronize) packet to the server to establish a connection.
    2. SYN-ACK: The server responds with a SYN-ACK packet (Synchronize-Acknowledge) to confirm that it has received the SYN packet and is ready to establish a connection.
    3. ACK: The client sends an ACK packet (Acknowledge) back to the server to confirm receipt of the SYN-ACK and the connection is established.

    In a SYN flood attack, however, the attacker sends SYN packets to the target server at high speed and in large numbers without ever completing the connection with an ACK packet. After receiving each SYN packet, the server waits for the corresponding ACK to complete the handshake. In the meantime, the server reserves resources and holds these “half-open” connections in a queue.

    As no final ACK packets are received, more and more half-open connections accumulate until the server’s resources are exhausted. Eventually, the server is no longer able to process legitimate requests because it is overloaded with the false SYN requests. As a result, legitimate users no longer have access to the server, which is the purpose of the DoS attack.

    How does a SYN Flood (DDoS) attack work?

    A SYN Flood (DDoS) attack exploits a weakness in the three-way handshake of the TCP protocol to make a server or service inaccessible. An attack typically proceeds as follows:

    • Abuse of the handshake process: In a SYN flood attack, the attacker sends masses of SYN packets to the target server, often with spoofed sender IP addresses. The server, which considers these requests legitimate, responds with SYN-ACK packets to the spoofed addresses.
    • Resource exhaustion: For each SYN request received, the server allocates resources to keep the requested connection open in anticipation of receiving the final ACK packet. This state is referred to as “half open” because the connection setup is not yet complete. However, since the ACK packets never arrive (the sender addresses are either spoofed or the requests are intentionally not completed), these half-open connections persist, and the server waits in vain for their completion.
    • Backlog overflow: Servers have a limited capacity for half-open connections. If a SYN flood attack exceeds this capacity, the server can no longer establish new, legitimate connections because its backlog of half-open connections is full. New connection requests are either delayed or completely rejected.
    • Service failure: Due to the overload of false SYN requests, the server’s resources (such as bandwidth, CPU or memory) are exhausted, which means that legitimate user requests can no longer be processed, and the service is unavailable to them.

    A SYN flood attack can be effective because it exploits the asymmetry of resource consumption between a client and a server – the attacker only has to send small SYN packets, whereas the server has to use comparatively more resources to respond to each request and maintain the connection.

    What kind of attacks are there?

    There are three basic types of SYN flood attack. In a direct attack, a single attacker sends a flood of SYN packets to the target server. This can be carried out using a powerful computer or a server with a high bandwidth connection. Since the requests in this type of attack come from a single source, the attack is relatively easy to detect and block.

    In a distributed SYN flood attack, several computers (botnet) send SYN packets to the target server at the same time. These attacks are more difficult to detect and combat. They require more advanced techniques such as IP verification and anomaly detection.

    The third possibility is a spoofed SYN flood attack. This involves spoofing the IP addresses of SYN packets so that they appear to come from different sources. This makes it difficult to trace the source of the attack and differentiate between legitimate and spoofed traffic.

    How can you defend against a SYN Flood (DDoS) attack?

    Defending against SYN Flood (DDoS) attacks can be challenging, but there are several techniques and strategies that can be used to minimize or prevent the impact of this type of attack. Below are some methods to defend against SYN Flood attacks:

    • Increasing backlog capacity: By increasing the number of possible half-open connections (backlog), a server can handle more SYN requests before it becomes overloaded.
    • Reducing the SYN received timeout: Servers can be configured to reduce the waiting time for the final ACK in a TCP connection. This speeds up the process of closing incomplete connections and reduces the chance of an attacker overloading the system.
    • SYN cookies: Instead of reserving resources for each incoming SYN request, the server sends back a cryptographic response. The connection is only fully established if a valid response is received from the client.
    • Hybrid Firewalls and Intrusion Prevention Systems (IPS): Modern firewalls and IPS can detect and filter suspicious surges of SYN requests, which can help keep the load off a target server.
    • Rate limiting: Limiting the number of SYN requests accepted from a single source can help mitigate attacks.
    • Blacklisting: The immediate blocking of IP addresses that have been identified for sending SYN requests in an unusual or suspicious pattern.
    • Anycast Network Distribution: Distribution of data traffic to several servers or data centers.
    • Direct Server Return (DSR): Configuration of load balancers so that responses are returned directly to the client without passing through the load balancer in order to save resources.
    • Cloud-based DDoS mitigation services: Using services that specialize in detecting and filtering attacks before they reach the target network.

    It is often worth combining multiple approaches to ensure the best possible defense against SYN flood attacks. It is also crucial that networks and servers are constantly monitored and updated to ensure that they are armed against the newer and more covert versions, as hackers are always updating their methods.

    A professional DDoS protection solution is the usual way to effectively protect against such attacks. AI-based systems in particular are able to quickly detect and mitigate those attacks before any damage is done to your site.

    If you have any questions about such a specialized solution, our cyber experts will be happy to assist you at any time and advise you on a tailor-made implementation without obligation.

    Contact us >>

    Link11 joins European anti-botnet initiative ACDC
    Link11 in London at the LINX117 event