What is SYN flood DDoS attack?

A SYN flood attack is a Distributed Denial of Service (DDoS) attack that exploits the vulnerabilities of the TCP three-way handshake protocol to exhaust server resources and therefore, make it unresponsive. The attacker sends TCP connection requests and does not acknowledge the server response, leading to many half-open connections saturating the server.

How does it work

A normal TCP three-way handshake has the following process:

  1. The client sends a TCP connection request through a SYN (synchronize) message.

  2. The server responds to this by replying with a SYN-ACK (synchronize-acknowledgment) message.

  3. The client completes the handshake by responding with an ACK (acknowledgment) message.

In the SYN flood attack, the attacker, pretending to be a client, sends TCP connection requests at a rate higher than the server's processing ability, leading to oversaturation of open connections and stagnation of services. The process is outlined below:

  1. The attacker sends multiple TCP connection requests, often using spoofedThese are fake or forged IP addresses. IP addresses to avoid detection.

  2. The server responds to these one-by-one by replying with a SYN-ACK message. It leaves a port open for a certain amount of time for the client's response.

  3. The attacker does not respond with the final ACK message and instead, sends more SYN packets. Since the server opens a port for each awaited ACK message, this leads to the exhaustion of server resources as all the available ports are under use.

The diagram below illustrates this:

1 of 4

How to prevent it

Some ways to mitigate the SYN flood attack are as follows:

SYN cookies

Upon receiving a SYN packet, the server creates a unique sequence number and sends it with the SYN-ACK packet. It does not insert the new request in its SYN queue unless it receives an ACK response with the same unique sequence number. This ensures that the SYN queue is not oversaturated with half-open connections.

Increase backlog queue

The backlog queue holds the half-open connections, which are then automatically dropped after a certain period of time. To prevent the delay of legitimate connections, the limit of the backlog queue can be increased to hold more connections in a given time.

Decrease timeout value

By decreasing the timeout value of half-open connections, we can prevent the congestion of SYN packets in the queue.

Recycling the oldest half-open connection

This approach involves the re-use of the oldest half-open connection once the backlog queue has been filled.

Free Resources

Copyright ©2024 Educative, Inc. All rights reserved