Securing Protocol Layers   «Prev 

SYN Flood Attack - Transport Layer

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to the system of a target in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address, which will not send an ACK because it "knows" that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK.
In an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.

SYN flood attack

1) In a SYN flood attack a series of SYN requests are made using a spoofed IP Address. The requesting host or client sends a message with a SYN flag and a unique sequence ID to establsih a connection with the remote host.

2) The remote or server will respond with a SYN flag and the sequence ID of the client

3) To complete the connection, a reply is sent in the form of an ACK flag from the requesting host and confirmed by the remote host.

4) The remote host responds to the requests and waits for the reply

5) In a SYN flood attack, repeated SYN requests congest the remot host until the flooding stops. The allocation of memory will help prevent SYN flood attacks.