SYN flood
![](http://upload.wikimedia.org/wikipedia/commons/thumb/9/9a/Tcp_normal.svg/220px-Tcp_normal.svg.png)
![](http://upload.wikimedia.org/wikipedia/commons/thumb/9/94/Tcp_synflood.png/220px-Tcp_synflood.png)
A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.[1][2]
The
Technical details
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
- The client requests a connection by sending a
SYN
(synchronize) message to the server. - The server acknowledges this request by sending
SYN-ACK
back to the client. - The client responds with an
ACK
, and the connection is established.
This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
A SYN flood attack works by not responding to the server with the expected ACK
code. The malicious client can either simply not send the expected ACK
, or by spoofing the source IP address in the SYN
, cause the server to send the SYN-ACK
to a falsified IP address – which will not send an ACK
because it "knows" that it never sent a SYN
.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK
. However, in an attack, the
Countermeasures
There are a number of well-known countermeasures listed in RFC 4987 including:
- Filtering
- Increasing backlog
- Reducing SYN-RECEIVED timer
- Recycling the oldest half-open TCP
- SYN cache
- SYN cookies
- Hybrid approaches
- Firewalls and proxies
See also
- Fraggle attack
- Internet Control Message Protocol
- IP address spoofing
- Ping flood
- Smurf attack
- UDP flood attack
References
- ^ "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks" (PDF). Carnegie Mellon University Software Engineering Institute. Archived from the original on 2000-12-14. Retrieved 18 September 2019.
- ^ New York's Panix Service Is Crippled by Hacker Attack, New York Times, September 14, 1996
- ^ "What is a DDoS Attack?". Cloudflare.com. Cloudflare. Retrieved 4 May 2020.