A SYN flood attack is a type of denial-of-service (DoS) or distributed denial-of-service (DDoS) attack that targets servers by exploiting the TCP protocol’s three-way handshake process, which is essential for establishing a reliable connection between a client and a server.
How the Attack Works
• In normal TCP communication, a client initiates a connection by sending a SYN (synchronize) packet to the server.
• The server responds with a SYN-ACK (synchronize-acknowledge) packet.
• The client then completes the handshake by sending an ACK (acknowledge) packet back to the server.
• This three-step process establishes a connection, allowing data transfer to begin.
In a SYN flood attack:
• The attacker sends a large number of SYN requests to the target server but deliberately does not respond to the server’s SYN-ACK replies with the final ACK.
• Alternatively, attackers may spoof the source IP address in the SYN packets, causing the server to send SYN-ACK responses to nonexistent or unwilling hosts, which never reply.
• As a result, the server keeps these connections in a “half-open” state, waiting for the final ACK that never arrives
Key Characteristics
• SYN flood attacks are sometimes called “half-open” attacks because they leave connections incomplete.
• They often use spoofed IP addresses to make mitigation harder and detection more difficult.
• These attacks operate at Layer 4 (the transport layer) of the OSI model, specifically targeting TCP services like web servers, email servers, and other infrastructure.