Skip to main content

SYN Flood Attack: How It Works and Protection

Published on:
.
9 min read

A SYN flood interrupts a web service by using a TCP/IP handshake vulnerability. In the enormous world of cyber threats, the TCP SYN Flood stands out as a particularly malicious type of denial-of-service (DoS) attack. By manipulating the protocols that govern internet communication, attackers can flood servers, rendering them unavailable to genuine queries.

Explore the complexities of TCP SYN Flood, a common denial-of-service attack. Learn about its processes, the hazards it may bring to computer networks, and the tactics used to combat such attacks. This article covers the following topics concerning the SYN flood attack.

  • What is a SYN flood attack?
  • How does a SYN flood attack work?
  • What is SYN flood in the OSI model?
  • What is SYN flooding on a port?
  • How does SYN Flood Attack Occur?
  • How is a SYN flood attack mitigated?
  • Why is SYN flood prevention important?
  • Is SYN flooding illegal?
  • What does SYN mean in networking?
  • What firewall type will prevent SYN flood attacks?
  • How does Zenarmor mitigate SYN flood attacks?
  • What is the difference between SYN flood and ICMP flood?

What is a SYN Flood Attack?

A SYN flood (half-open attack) is a sort of denial-of-service (DoS) attack that attempts to render a server inaccessible to genuine traffic by utilizing all available server resources. Through the persistent transmission of initial connection request (SYN) packets, an attacker can flood a targeted server computer with all accessible ports, causing the device to react to legitimate traffic slowly or not at all.

A TCP SYN flood attack attempts to exploit the TCP three-way handshake procedure, which is essential for establishing connections in TCP/IP networks. The TCP handshake has three steps:

  1. A client sends a SYN (synchronize) message to a server, expressing its wish to establish a connection.
  2. The server confirms this request by returning a SYN-ACK message to the client.
  3. The client sends an ACK (acknowledgement), and the connection is properly established.

In a TCP SYN flood attack, the hostile entity sends a flood of SYN requests to a target server while purposefully avoiding providing the final ACK. This causes the server to use resources for each of these half-open connections while waiting for an unreturned answer.

What are the Types of SYN Flood Attacks?

A SYN flood can occur in three distinct ways:

  1. Direct Attack: A direct attack is one that uses a SYN flood without spoofing the IP address. In this attack, the attacker does not hide their IP address at all. Because the attacker used a single source device with an actual IP address to launch the attack, he is extremely vulnerable to detection and mitigation. To generate the half-open state on the target computer, the hacker inhibits it from responding to the server's SYN-ACK packets. This is frequently accomplished by firewall rules that prevent outgoing packets other than SYN packets or by screening all incoming SYN-ACK packets before they reach the malicious user's workstation. In fact, this strategy is rarely (if ever) employed since mitigation is simple: block the IP address of each rogue system. If the attacker is utilizing a botnet, such as the Mirai botnet, they will not be concerned with concealing the infected device's IP address.
  2. Spoofed Attack: A malicious user can spoof the IP address on each SYN packet they transmit to thwart mitigation measures and make their identity more difficult to find. While packets may be faked, they may still be tracked back to their source. It is tough to conduct this type of investigation, but it is not impossible, especially if Internet service providers (ISPs) agree to assist.
  3. Distributed Denial of Service (DDoS): A DDoS SYN attack inundates a target's system with an excessive number of SYN requests, causing it to become overwhelmed. In this assault, a multitude of infected machines, often organized into a botnet, collaborate to concurrently dispatch a large number of SYN packets to the intended target. If an attack is launched via a botnet, it is difficult to trace the attack back to its origin. To add another layer of obfuscation, an attacker may have each dispersed device fake the IP addresses from which it delivers packets. If the attacker is utilizing a botnet, such as the Mirai botnet, they are unlikely to worry about concealing the infected device's IP address.

A malicious actor can use an SYN flood attack to cause a denial of service on a target device or service while generating far less traffic than other DDoS attacks. SYN attacks, as opposed to volumetric attacks, which try to flood the network infrastructure surrounding the target, must only be greater than the target's operating system's available backlog. If the attacker can calculate the size of the backlog and how long each connection will be open before timing out, he or she may target the exact parameters required to disable the system, lowering total traffic to the minimum required to cause a denial of service.

Get Started with Zenarmor Today For Free

How Does a SYN Flood Attack Work?

SYN flood attacks abuse the TCP connection's handshake phase. Under typical settings, a TCP connection involves three independent steps in order to establish a connection. First, the client sends a SYN packet to the server to establish the connection. To acknowledge the communication, the server responds to the original packet with a SYN/ACK message. Finally, the client sends an ACK packet to acknowledge receipt of the packet from the server. After finishing this series of packet sending and receiving, the TCP connection is open and ready to transmit and receive data.

To cause denial of service, an attacker takes advantage of the fact that after receiving an initial SYN packet, the server will react with one or more SYN/ACK packets and wait for the last step in the handshake. This is how a SYN flood attack works.

  1. The attacker sends a large number of SYN packets to the target server, sometimes using fake IP addresses.
  2. The server then answers each connection request and leaves an open port to receive the response.
  3. While the server waits for the final ACK packet, which never comes, the attacker sends further SYN packets. The receipt of each new SYN packet leads the server to temporarily retain a new open port connection for a certain period of time, and after all available ports have been used, the server is unable to operate correctly.

What is SYN flood in the OSI model?

A SYN distributed denial-of-service attack is a type of DDoS attack that targets the TCP protocol at Layer 4 of the OSI model and seeks to bring a network device, load balancer, session management device, or server down by flooding it with requests to access its resources. A SYN DDoS attack, which operates at Layer 4 of the OSI model and especially targets the TCP protocol, aims to overload different network components such as devices, load balancers, session management systems, and servers.

An SYN flood attack, also known as a "half-open attack", uses a common weakness in the TCP/IP handshake to overload a server with TCP connections, preventing it from serving genuine traffic and connections. This form of cyberattack may bring down machines capable of supporting tens of millions of connections. Hackers first used the TCP SYN flood in the early 1990s, most famously Kevin Mitnick, who used the technique to execute a denial-of-service attack by impersonating a TCP/IP connection. The attack affects the server's capacity to process genuine traffic and connections, rendering it inaccessible.

What is SYN flooding on a port?

Unlike other forms of DDoS attacks, SYN flood DDoS attacks do not aim to use all of the host's memory, but rather to deplete the reserve of open connections linked to a port from specific, frequently fictitious IP addresses. SYN floods are sometimes referred to as "half-open" attacks because they transmit a brief rush of SYN signals into ports, leaving unsecured connections open and available, and frequently ending in a server crash.

A SYN flood (half-open attack) is a sort of denial-of-service (DDoS) attack that attempts to render a server inaccessible to genuine traffic by utilizing all available server resources. Through the persistent transmission of initial connection request (SYN) packets, an attacker can flood a targeted server computer with all accessible open ports, causing the device to react to legitimate traffic slowly or not at all.

How does SYN Flood Attack Occur?

Hackers typically send a large number of SYN packets to the server with forged source IP addresses or ports, requesting the formation of TCP connections. The real client will never receive or reply to the SYN-ACK packet sent by the server as the originating IP address or port is fake. In rare circumstances, hackers exploit actual source IP addresses to transmit huge SYN packets using cyber attack tools. These tools do not react to SYN-ACK packets sent from the server. However, the server cannot receive the ACK message, resulting in a huge number of half-open connections. In this instance, the server must keep a huge waiting list while attempting to resend SYN-ACK packets. In addition, many resources cannot be released. When the server is completely occupied by these malicious half-open connections, it stops responding to new SYN packets. As a result, typical users are unable to create TCP connections.

What are the Impacts of SYN Flood Attack?

A SYN flood attack may have a significant and disruptive effect on networks. Some significant repercussions of the SYN flood attack ar e as follows:

  • Service Disruption: Due to the depletion of the server's resources, it is unable to process genuine connection requests. This leads to a denial of service, resulting in service outages for authorized users.
  • Resource Exhaustion: Resource exhaustion occurs when a target server is overwhelmed by a flood of SYN requests, resulting in the depletion of resources such as CPU, memory, and network bandwidth.
  • Latency: Legitimate users may see heightened latency due to the network's difficulty in handling the surge of SYN requests, which may negatively affect the responsiveness of services.
  • Bad User Experience: Users that try to access services on the impacted network may suffer delays or full unavailability, resulting in a diminished user experience.
  • Network Congestion: Network congestion occurs when there is an overwhelming amount of SYN packets, which may negatively impact the network's performance and responsiveness.
  • Reputation Damage: Extended service interruptions may result in reputation damage for the targeted company, causing users and customers to lose faith.
  • Operational Costs: Organizations that have to cope with the aftermath of an SYN flood assault sometimes incur substantial operational expenses as they need to allocate large resources and make considerable attempts to mitigate its impacts.
  • Difficulty in Threat Detection: The detection of SYN flood assaults may be arduous, making it difficult to identify them in real time. This gives attackers the opportunity to take advantage of vulnerabilities for a prolonged period before any countermeasures can be put in place.

Why is SYN flood prevention important?

Almost any company with a public-facing website is vulnerable to SYN flood cyberattack. If a SYN flood is not identified and dealt with quickly, it can overload a server, causing it to respond slowly and deny further connections. This basically knocks the server offline, denying genuine users service, causing them to lose access to programs and data, and blocking e-commerce. The consequences may include a loss of company continuity, interruption of vital infrastructure, lost revenue, or a tarnished reputation. For certain businesses, like those in the healthcare industry, losing access to data can have fatal consequences.

SYN flood avoidance is critical since these attacks may inflict extensive damage to networks and systems. SYN floods disable servers and networks, rendering them inaccessible to authorized users. They may potentially cause data loss and other issues.

SYN floods are among the most popular forms of volumetric DoS attacks each year. They can be used in conjunction with or as a cover for other forms of attacks, such as ransomware or attempts to steal data or plant malware.

High-profile cyber attacks, such as the Mirai botnet, employ SYN flooding to crash servers and cause damage. Internet of Things devices are especially vulnerable to SYN flooding and DDoS attacks.

How is a SYN Flood Attack Mitigated?

Consider the following features for improved DDoS defense and faster mitigation of TCP SYN flood DDoS attacks:

  • Increasing the backlog queue: Each operating system on a target device allows a fixed number of half-open connections. Increasing the maximum number of half-open connections that the operating system permits is one method of handling massive quantities of SYN packets. To properly increase the maximum backlog, the system must provide sufficient memory resources to handle all incoming requests. If the system does not have enough memory to manage the increasing backlog queue size, system performance will suffer; nonetheless, this may be preferable to denial-of-service.
  • Recycling the Oldest Half-Open TCP Connection: Another mitigating method is to overwrite the oldest half-open connection after the backlog has been cleared. This approach needs legal connections to be fully formed in less time than the backlog of fraudulent SYN packets. This protection fails when the attack volume increases or the backlog size is insufficient to be practical.
  • SYN Cookies: To prevent the danger of losing connections while the backlog is full, the server answers each connection request with a SYN-ACK packet before deleting the SYN request from the queue, eliminating it from memory, and keeping the port open and ready to accept a new connection. If the connection is a valid request and the client machine sends a final ACK packet back to the server, the server will recreate the SYN backlog queue item (with some limits). While this mitigation attempt loses some information about the TCP connection, it is preferable to enable genuine users to experience denial-of-service due to an attack.
  • Support for both inline and out-of-band deployment to eliminate single points of failure on the network.
  • Broad network visibility, including the capacity to observe and analyze data from many sections of the network
  • To ensure rapid and accurate detection, many sources of threat intelligence are used, such as statistical anomaly detection, customized threshold alerts, and fingerprints of known or new threats.
  • Scalability to manage attacks of different magnitudes, ranging from 1 Gbps to 40 Gbps.
  • Intrusion detection systems (IDS) that can identify and prevent malicious traffic from a SYN flood attack and other DDoS attacks, if non-spoof source IPs are utilized.
  • Rate-limiting strategies restrict the number of SYN requests or SYN packets transmitted to a server at any one time.
  • Implementation of solutions for increased network visibility, allowing security personnel to observe and analyze traffic from various portions of the network.
  • Firewalls that can filter out bogus SYN packets however, this comes at a performance penalty.

How Does Anti-DDoS System Prevent SYN Flood Attack?

An anti-DDoS system processes SYN packets, detects bogus source IP addresses, shields packets from these IP addresses, and sends only authentic SYN packets to the server. The anti-DDoS system handles SYN packets in two ways: source authentication and first-packet discard.

  • Source Authentication: The anti-DDoS system intercepts a SYN packet provided by the client and forwards a SYN-ACK packet to the client on behalf of the server. If the client does not react, the anti-DDoS system flags it as a false source. If the client responds, the system deems it a legitimate source and whitelists its IP address. In this method, the anti-DDoS system enables all SYN packets from the source to pass through within a certain time frame while not performing proxy responses.
  • First-package drop: If the anti-DDoS system replies to all SYN flood attack packets on the server's behalf, the server's performance bottleneck shifts to the anti-DDoS system. Even after the anti-DDoS system's system resources have been depleted, the attack packets are transparently sent to the server. In addition, a large quantity of SYN-ACK packets puts extra strain on the network. The anti-DDoS system solves this problem by rejecting the first packet.

The dependability of the TCP protocol is based not just on the three-way handshake, but also on the timeout and retransmission mechanisms. In most circumstances, if the client does not get the SYN-ACK answer from the server within a reasonable amount of time after delivering a SYN packet, it will resend it. The anti-DDoS system discards the first SYN packet it receives. In SYN flood attacks, the majority of the SYN packets supplied by the hacker have different source IP addresses. As a result, the anti-DDoS system treats all SYN packets as the initial packets and discards them straight. If the client retransmits a SYN packet, the anti-DDoS system authenticates the packet's source. This significantly decreases proxy demand for the anti-DDoS mechanism. This combination of first-packet discarding and source authentication successfully protects against SYN flood attacks, particularly those originating from false source IP addresses and ports.

Is SYN flooding illegal?

Sometimes yes, sometimes no. Although threat actors frequently employ this tactic, SYN flooding is not necessarily unlawful. SYN flooding is a valid method for network testing and debugging used by security experts and ethical hackers alike. Penetration testing is the purposeful exploitation of a computer system or network to find and remedy weaknesses.

However, using SYN flooding to harm another computer system is prohibited. These assailants may face civil penalties or fines. In the United States, a DDoS attack using SYN flooding is considered unlawful cybercrime. Depending on the circumstances, it might be a federal violation under the Computer Fraud and Abuse Act.

What does SYN mean in networking?

The term "SYN" is a shortened form of the word "synchronize". It is derived from the function of these packets, which is to synchronize sequence numbers during the establishment of a connection under the TCP/IP architecture.

The TCP/IP architecture has a procedure known as a 'three-way handshake' to establish a connection between two hosts inside a network. This connection is established using a three-step process: SYN, SYN-ACK, and ACK. The client initiates the communication by sending a SYN packet to the server. The server responds by sending a SYN-ACK packet back to the client. Finally, the client acknowledges the server's response by sending an ACK packet. This technique facilitates the establishment of a secure and dependable connection between the two hosts.

What firewall type will prevent SYN flood attacks?

An extra line of protection is offered by proxies and firewalls, which filter out harmful traffic before it reaches the target server. Incoming traffic is inspected by gateways, firewalls, and proxies, which then block or permit connections in accordance with pre-established regulations. By adding an additional layer of defense, this strategy lowers the possibility that SYN Flood attacks will be effective.

Set up firewalls to prevent connections from unknown or deemed harmful IP addresses and to restrict incoming traffic.

To identify and stop SYN flood attacks, use network security tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS).

By deploying an intrusion prevention system (IPS), updating your networking hardware, setting your firewall, and putting in commercial monitoring tools, you can stop SYN flood attacks.

Install an IPS in order to identify unusual traffic patterns. Set up the on-site firewall to guard against SYN floods and SYN attack thresholds, if possible.

How does Zenarmor mitigate SYN Flood attacks?

Starting from version 1.17, Zenarmor has the ability to detect SYN flood attacks. Zenarmor checks the SYN cache buffer in order to identify SYN flood assaults. The SYN cache is a mechanism designed to counteract SYN flood assaults by monitoring and reacting to repeated SYN requests without requiring the intervention of the real server. Zenarmor will send you a notification when the SYN cache buffer on your firewall hits a certain threshold value, which is determined by Zenarmor. This occurs when there is a high volume of SYN packets and half-open TCP connections, signaling a SYN flood assault on your network.

What is the difference between SYN flood and ICMP flood?

Ping floods, also known as ICMP floods, are occasionally mistaken for SYN floods, another popular DDoS method. There are a few significant variations between SYN flood and ICMP flood, even though both flood the target with fake traffic:

  • Protocol used: SYN floods make use of TCP SYN packets, whereas Ping floods employ ICMP echo requests.
  • Establishing connections: SYN floods make several unsuccessful attempts to create connections, but ping floods fail to establish any TCP connections.
  • Impact: Due to the requirement to manage half-open connections, SYN floods place more strain on server resources than ping floods, which utilize more incoming bandwidth.
  • Detection: Based on the amount of ICMP traffic, ping floods are simpler to see. It may be more difficult to discern between SYN floods and valid connection attempts.

In conclusion, SYN floods necessitate higher server processing overhead, whereas ping floods use more bandwidth. However, valid users may be effectively denied service by both.

Get Started with Zenarmor Today For Free
Last updated on by Zenarmor