A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of
SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic
The goal from this attack is make the server overload with incoming SYN request with no ACK.
Three way handshake normally runs like this:
- The client requests a connection by sending a
SYN(synchronize) message to the server.
- The server acknowledges this request by sending
SYN-ACKback to the client.
- The client responds with an
ACK, and the connection is established.
This attack use this opportunity by act as friendly user that want to access the server but flooding only syn, not reply the syn-ack
There are a number of well-known countermeasures listed in RFC 4987 including:
- Increasing Backlog
- Reducing SYN-RECEIVED Timer
- Recycling the Oldest Half-Open TCP
- SYN Cache
- SYN cookies
- Hybrid Approaches
- Firewalls and Proxies