SYN Flood Attack

Overview of SYN Flood Attack

The SYN flood is also known as the TCP SYN flood since it employs the TCP three-way handshake methodology. In this attack, attackers can target any system linked to the internet that provides TCP services, such as email servers, file transfers, etc., by sending repeated SYN requests from a random IP address to the server. It is a form of DDoS attack in which your system is infiltrated, rendering it inaccessible for new legitimate connections and authorized customers by continually sending SYN packets.

How Does an SYN Flood Attack Work?

SYN flood attacks take advantage of the TCP connection's handshake phase.

When a client and server form a connection, a regular TCP connection is established via the three-way handshake.

1. The client starts a connection with the server by sending an SYN packet.
2. The server responds by sending an SYN/ACK packet and creating a data structure for the connection in the SYN backlog known as a Transmission Control Block (TCB).

3. The client replies with an ACK packet to the SYN/ACK packet, completes the handshake, and establishes the connection.
   An SYN flood is often known as a half-open attack, and in this, the attacker exploits the Transmission Control Protocol's three-way handshake.

4. The attacker repeatedly sends SYN packets to the targeted server, frequently using spoofed IP addresses.

5. As the server is unaware of the attack, it answers each connection request with an SYN-ACK packet and leaves an open port waiting for the response.

6. The attacker continues to transmit SYN packets while the server waits for the last ACK packet, which never arrives.

7. Because the connection remains open, another SYN packet from the attacker arrives before the timeout can occur.

8. At a certain point, communication with legitimate traffic becomes difficult or impossible when the server becomes overloaded by the attacker's requests.

How Does an SYN Flood Attack Happen?

An SYN flood attack can occur in three ways.

1. Direct SYN Flood Attack: In this method, the attacker starts the SYN flood attack using their IP address.
2. SYN Spoofed Attack: An attacker uses a fake IP address to transmit each SYN packet to the server. Spoofing makes it tough to figure out who they are and how to track down the packets.
3. DDoS SYN Flood Attack: A Distributed Denial of Service SYN flood attack is launched when a server receives SYN packets from multiple compromised computers under the attacker's control.

How to Mitigate SYN Flood Attack?

There are following methods can be used to mitigate SYN flood attacks:

● Intrusions Detection System (IDS)

● Expanding backlog queue

● Firewall filtering

● RST cookies

● SYN cookies

● Recycled half-open connections

How can InfosecTrain help you?

We get to see various cyberattacks on networks in daily life. InfosecTrain offers a range of cybersecurity certification training courses that cover all essential knowledge for preventing the emerging cyber-attacks. You can enroll in our network security training course to learn how to detect SYN flood attacks and practices to protect against such threats.