A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. SYN (synchronize) is a type of packet used by the Transmission Control Protocol (TCP) when initiating a new connection to sychronize the sequence numbers on two connecting computers.
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
- The client requests a connection by sending a SYN (synchronize) message to the server.
- The server acknowledges this request by sending SYN-ACK back to the client, which,
- Responds with an ACK, and the connection is established.
- This is called the TCP three-way handshake, and is the foundation for every connection established using TCP/IP protocols.
A malicious client can skip sending this last ACK message. The server will wait for this bit for some time, as simple network congestion could also be the cause of the missing ACK.
If this so called half-open connection binds resources on the server or the server software is licensed per-connection, as is the case in many operating systems, it may be possible to take up all these resources or run out of Client Access Licenses by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections be they legitimate or not can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are stripped of resources this way.
Defense: Includes SYN cookies or limiting the number of new connections from a source per timeframe. SYN cookies are particular choices of TCP initial sequence numbers (ISNs) by TCP servers.