Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is a SYN flood attack?

What is a SYN flood attack?

A SYN flood attack (half-open attack) is a DDoS attack that aims to render a server or online service unavailable to legitimate users by overwhelming the server's resources. This is achieved by repeatedly sending a large number of initial connection request (SYN) packets to the targeted server. As a result, all available ports on the server become occupied, causing the server to respond slowly or not at all to legitimate traffic.


How does a SYN flood attack work?

To understand how a SYN flood attack works, it is essential to grasp the basic TCP handshake process. In a normal TCP connection, three distinct processes occur:

  1. The client sends a SYN packet to the server to initiate the connection.
  2. The server responds with a SYN/ACK packet to acknowledge the communication.
  3. The client sends an ACK packet back to the server to confirm the receipt and complete the handshake.

However, in a SYN flood attack, the attacker exploits the fact that the server responds to each SYN packet by leaving an open port ready to receive the response. The attacker floods the targeted server with a high volume of SYN packets, often using spoofed IP addresses. 

As the server waits for the final ACK packet, which never arrives, the attacker continues to send more SYN packets, temporarily occupying new open ports. Eventually, all available ports are utilized, preventing the server from functioning normally.

Related: What is spoofing?


Different types of SYN attacks

SYN flood attacks can occur in various ways, each with its characteristics and implications. The three main types of SYN attacks are:


Direct attack

In a direct attack, the attacker does not mask their IP address. They use a single source device with a real IP address to create the attack. This makes the attacker vulnerable to discovery and mitigation.


Spoofed attack

In a spoofed attack, the attacker intentionally spoofs the IP address on each SYN packet they send. This inhibits mitigation efforts and makes tracing the attack back to its source challenging. 


Distributed attack (DDoS)

A distributed attack involves using a botnet, a network of compromised devices controlled by the attacker. In this type of attack, each distributed device may also spoof the IP addresses from which it sends packets.

Go deeper: 


Mitigation techniques for SYN floods

Since SYN flood attacks have been a known vulnerability for a long time, several mitigation techniques have been developed:


Increasing backlog queue

One method to mitigate SYN flood attacks is to increase the maximum number of half-open connections allowed by the operating system on the targeted device. By raising the maximum backlog, the system can handle more SYN packets.


Recycling the oldest half-open TCP connection

Another mitigation strategy involves overwriting the oldest half-open connection once the backlog has been filled. This approach assumes that legitimate connections can be established faster than the backlog can be filled with malicious SYN packets. 


SYN cookies

SYN cookies offer an alternative mitigation technique. When a server receives a SYN request, it creates a cookie to track the connection. Instead of dropping the SYN request from the backlog, the server responds with a SYN-ACK packet but removes the request from memory, leaving the port open. If the client machine sends a final ACK packet to complete the connection, the server reconstructs the SYN backlog queue entry. 

See also: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.