A SYN flood is a type of Denial of Service (DoS) attack that exploits the TCP three-way handshake process to overwhelm a target system, making it unavailable for legitimate users. The attack focuses on flooding a server with SYN (synchronization) requests in order to exhaust its resources, without completing the handshake. This causes the server to maintain many half-open connections, ultimately leading to a denial of service for legitimate users.
The attack is named a SYN flood because it specifically targets the SYN step of the three-way handshake used in TCP connections.
How SYN Flood Attacks Work
The TCP three-way handshake consists of the following steps:
- SYN (Synchronize): The client sends a SYN packet to the server to initiate a connection.
- SYN-ACK (Synchronize-Acknowledge): The server responds with a SYN-ACK to acknowledge the request.
- ACK (Acknowledge): The client sends an ACK back to the server to complete the handshake.
In a SYN flood attack, the attacker manipulates the first two steps of this handshake:
-
Step 1 (SYN Sent by Attacker): The attacker sends a large number of SYN requests to the target server with a spoofed IP address (a fake source address).
-
Step 2 (SYN-ACK Response from Server): The target server responds to each SYN request with a SYN-ACK message, but since the source IP address is spoofed, the server waits for an ACK response that will never come.
-
Step 3 (No ACK from Attacker): The server holds the connection open, waiting for the ACK to complete the handshake. However, since the ACK never arrives (because the IP address is fake or unreachable), the server ends up with half-open connections that consume resources like memory and processing power.
Consequences of a SYN Flood Attack
- Resource Exhaustion: The target server keeps a TCP connection queue filled with these incomplete handshakes, consuming server resources such as memory and processing power. As a result, it cannot accept legitimate connections from real users.
- Denial of Service: When the connection queue is exhausted, legitimate users cannot initiate connections, effectively causing a Denial of Service (DoS).
- Slowdown: The server may slow down as it tries to process these fake connections, impacting performance even if the attack doesn't entirely bring the server down.
Characteristics of a SYN Flood Attack
- Flood of SYN Requests: The attacker sends a large number of SYN packets to the target server.
- Spoofed IP Address: The SYN packets often have a spoofed IP address (a fake source address), so the server cannot respond to the attacker's packets.
- No Completion of Handshake: The server never receives the final ACK from the attacker, leaving the connection in a half-open state.
- Resource Exhaustion: As the server waits for the missing ACK, it holds the resources allocated for the incomplete connections.
Detection of a SYN Flood Attack
Detecting a SYN flood attack can be challenging, but certain network behavior indicators can help identify when an attack is occurring:
- High Volume of SYN Packets: A large number of SYN packets with a high rate of incoming connections from a small number of IP addresses.
- Incomplete TCP Handshakes: A noticeable increase in half-open TCP connections (i.e., SYN packets without the corresponding ACK).
- Spoofed IP Addresses: SYN packets with spoofed or invalid source IP addresses, which do not respond to the SYN-ACKs sent by the server.
- Connection Queue Full: The server's TCP connection table becomes full, meaning no new connections can be established.
Mitigation of SYN Flood Attacks
Several strategies can be employed to mitigate the effects of a SYN flood attack:
1. SYN Cookies
SYN cookies are a technique that helps the server avoid allocating resources for a half-open connection until the final ACK of the handshake is received. Here's how it works:
- Instead of allocating memory for a new connection when receiving a SYN packet, the server generates a SYN cookie, which encodes connection state information in the sequence number of the SYN-ACK.
- When the client responds with an ACK, the server can verify that the ACK corresponds to a valid SYN cookie, allowing it to complete the handshake without needing to keep half-open connections in memory.
2. Increased Backlog Queue Size
Increasing the size of the TCP backlog queue allows the server to handle more half-open connections before rejecting new ones. However, this is not a permanent solution since the attacker can always increase the rate of SYN requests.
3. Rate Limiting or Connection Throttling
Implementing rate limiting on the number of incoming SYN packets per second from any single IP address can help slow down the attack. This can be done with firewalls or intrusion prevention systems (IPS).
4. Firewall and Router Protection
- Access Control Lists (ACLs): Firewalls or routers can be configured with ACLs to filter out packets from known malicious IPs or limit the rate of incoming SYN packets.
- Deep Packet Inspection (DPI): Devices can perform DPI to detect and block SYN flood traffic based on its characteristics.
5. TCP Connection Timeout Reduction
By reducing the SYN timeout period (the time the server waits for an ACK response after sending the SYN-ACK), the server can quickly release resources that would otherwise be tied up by incomplete connections.
6. Intrusion Detection Systems (IDS)
IDS or Intrusion Prevention Systems (IPS) can detect SYN flood patterns and trigger automatic countermeasures such as rate-limiting or blocking malicious IPs.
7. Anycast
For large-scale websites, the Anycast technique can be used to distribute traffic to multiple server locations, which can help absorb the traffic generated by a SYN flood attack.
Advanced SYN Flood Attacks (SYN+ACK Floods)
An advanced form of the SYN flood is the SYN+ACK flood, where the attacker sends SYN-ACK packets instead of SYN packets. This can be especially effective in bypassing basic defenses because:
- The SYN-ACK flood appears to be part of a normal handshake, making it harder to distinguish from legitimate traffic.
- The attacker typically does not spoof the IP address in this case, meaning the server is tricked into sending SYN-ACK responses to the real target, consuming their resources.
This type of attack exploits the server’s connection table and requires more sophisticated detection and mitigation techniques.
Example of SYN Flood Attack:
Let’s say an attacker wants to perform a SYN flood attack on a web server with IP 10.0.0.1
:
- Step 1: The attacker sends SYN packets with a spoofed IP address (say
192.168.1.100
), requesting a connection to10.0.0.1
on port 80. - Step 2: The server at
10.0.0.1
responds to each SYN with a SYN-ACK packet, acknowledging the fake requests. - Step 3: The attacker never responds to the SYN-ACKs, leaving the server with many half-open connections.
- Result: Eventually, the server runs out of resources, and legitimate users can no longer establish a connection.
Â
A SYN flood attack is a simple yet effective denial of service attack that exploits the TCP handshake mechanism. By sending a large number of SYN packets with spoofed source addresses, the attacker causes the target server to allocate resources for many half-open connections, eventually overwhelming it and preventing legitimate users from accessing services.
Mitigating SYN flood attacks requires a combination of network security measures, such as SYN cookies, rate limiting, and firewall protection. Early detection and prevention are key to protecting servers from being impacted by these types of attacks.