Enhance your Career in Networking With IPinBits!!!​

TCP SYN Flood attack

  • This is a type of DDoS (Distributed Denial of Service) attack in which there are rapid TCP connection requests so that the Server cannot respond them in time.
  • In this type of attack, the attacker sends the SYN messages using different ports on the targeted server. Most of the times the sources IPs are also spoofed.
  • In this type of attack, server is not aware and treats these requests as legitimate and tries to send the SYN-ACK message. Since these IPs are spoofed, client will never receive the SYN-ACK message (in other words, there is no legitimate client present).
  • As the server will wait for ACK message from client and the connection will not be terminated during this wait time, server will drop the legitimate new TCP connections due to lack of resources.
  • These types of connections are also known as HALF OPEN.
  • This type of attack can result in a massive number of half open connections and would make the server deprived of resources.
  • We can see a lot of SYN message (in wireshark capture).
  • These SYN messages are in very short time frame (19 messages in 0.002867 seconds).
  • Also the IPs seems spoofed due to which there are no ACK messages.
  • This type of behavior will make the server overwhelmed with TCP connection requests soon.

This vulnerability of SYN flood is a very well known since long time.  This attack exploits the TCP three way handshake and most of the networking devices can not differentiate between legitimate and attacker’s SYN. There are many ways to mitigate the SYN flood attack

Related blog posts