SYN Flood Attacks

Simply sending a ping flood to a targeted system is the most basic and primitive method of carrying out a DoS attack. More complex methods use specific packet types. SYN Flood, a popular form of DoS attack, is frequently employed.

When a session is initiated between a client and a server using the TCP protocol, a small buffer area is reserved in server memory for the “three-way handshake” messages that establish the session. The packets forming the session contain a SYN field that identifies the sequence in the message exchange.

SYN Flood attacks aim to disrupt this process.

An attacker sends a large number of connection requests very rapidly, causing a small area to be reserved on the server side for each packet. As too many packets arrive, limits are reached and the server becomes unable to respond.

In other words, the attacker requests a connection but never completes the rest of the connection sequence.

This has the effect of leaving connections on the server half-open, with a buffer space reserved for each one. Of course, these reserved spaces cannot be used by other applications. Although a packet in the buffer is dropped after a certain period of time (approximately three minutes) if no response is received, in practice the simultaneous arrival of a large number of these connection requests makes it difficult for legitimate requests to be answered in a session.

SYN Flood attacks are a significant DDoS attack that aim to exhaust available server resources and shut them off from legitimate traffic.

By repeatedly sending initial connection request (SYN) packets, the attacker can fill all available ports on the target machine, causing the targeted device to respond slowly to traffic or to stop responding entirely.

How Do SYN Flood Attacks Work?

SYN flood attacks maliciously exploit the three-way handshake process of a TCP connection. TCP connection communication aims to establish a three-way handshake and a secure connection. Under normal conditions, a TCP connection involves three distinct processes.

1. First, the client sends a SYN packet to the server to initiate the connection.
2. In the second step, the server then responds to this initial packet with a SYN/ACK packet to acknowledge the communication.
3. In the third step, the client returns an ACK packet to confirm that the packet was received from the server. After completing this send-and-receive sequence, the TCP connection is opened and data can be sent and received.

To create a denial of service, the cyber attacker, after the initial SYN packet is received, causes the server to respond with one or more SYN/ACK packets without waiting for the final step of the handshake. At this point, a memory area on the server is locked until the connection times out.

How SYN Flood Works

• The attacker sends a very high volume of SYN packets — typically with forged IP addresses — to the targeted server.
• The server then responds to each of the connection requests and leaves an open port ready to receive the response.
• While the server waits for the final ACK packet that never arrives, the attacker continues to send more SYN packets.
• The arrival of each new SYN packet causes the server to temporarily maintain an open port for a certain period of time, and once all available ports are exhausted, the server begins to freeze and is unable to serve traffic.

In network communication, when a server leaves a connection open and there is no machine on the other end of the connection to respond, the connection is considered half-open. In this type of DDoS attack, the targeted server continuously leaves open connections and waits for the connection to time out before the port becomes available again. As a result, this type of attack is considered a “half-open attack”.

SYN Flood attacks can occur in three different ways:

Direct attack: An attack in which the attacker does not spoof the source IP address. Since the attacker is using their own IP address, they are easily identifiable. The attack simply sends very high volumes of SYN packets to the target server.

Spoofed attack: An attacker can spoof the source IP address of their SYN packets to hinder mitigation and make their identity harder to discover. This does not completely conceal the attacker’s location, but makes it more difficult to find them.

Distributed attack (DDoS): If the attack is launched using a botnet, tracking the attack back to its original source becomes even more difficult. The attacker may even use a distributed denial of service network, gaining an additional layer of obfuscation.

How to Prevent SYN Flood Attacks

There are several approaches to preventing SYN flood attacks. The most widely used approach is SYN cookies. When the server receives a SYN packet, it sends back a SYN/ACK as normal, but does not store any information about the connection in a buffer. Instead, it embeds the data into the SYN/ACK response using a cookie. If the server later receives an ACK from the client, the server is able to reconstruct the connection from the cookie and complete the connection normally.