Securing Protocol Layers   «Prev 

SYN Flood Attack - Transport Layer

A SYN Flood attack is a form of Denial-of-Service (DoS) attack that exploits the three-way handshake mechanism of the Transmission Control Protocol (TCP), a core protocol in the Transport Layer of the TCP/IP suite. This mechanism is essential for establishing connections between two hosts in a TCP network.
The three-way handshake process includes the following steps:
  1. The initiating host (Client) sends a SYN (synchronization) packet to the host it wishes to connect to (Server). This packet signals the client's intent to establish a communication channel.
  2. The receiving host (Server) acknowledges the request by sending a SYN-ACK (synchronization-acknowledged) packet back to the client.
  3. The initiating host (Client) then acknowledges the server's SYN-ACK with an ACK (acknowledgment) packet. After this step, the connection is established and data transfer can begin.

A SYN Flood attack abuses this process with the aim of exhausting a target system's resources and rendering it unresponsive to legitimate traffic. The attack's specific characteristics are:
  1. High Volume of SYN Packets: The attacker sends a rapid succession of SYN packets to the target host, often using a botnet or other means to generate a massive amount of traffic. This overwhelms the target's ability to process incoming connection requests.
  2. Spoofed Source IP Addresses: The SYN packets typically have a falsified source IP address. This makes it difficult for the victim to respond to the SYN-ACK packet, as it is sent to an IP address that didn't originate the request. This also makes it harder to trace the attack back to the actual source.
  3. Incomplete Handshakes: As the attacker does not respond to the SYN-ACK packets sent by the victim, a significant number of half-open connections are left on the victim's system. These connections are in a state known as "SYN_RECEIVED."
  4. Resource Exhaustion: Each half-open connection consumes resources on the victim's system. When the number of such connections crosses a certain threshold, the system can no longer accept new connection requests. Legitimate users trying to connect to the system are then denied service.

In the face of such threats, network administrators should deploy strategies to detect and mitigate SYN Flood attacks. These can include setting sensible SYN Received timeouts, implementing SYN cookies, deploying intrusion detection and prevention systems (IDS/IPS), or configuring firewalls to limit the rate of SYN packets from a single source.

SYN flood is a form of DOS Attack

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to the system of a target in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address, which will not send an ACK because it "knows" that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK.
In an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.