What Is SYN Flood?

How Does SYN Flood Occur?

SYN flood, as the name implies, uses a flood of SYN packets to attack the system. A SYN packet refers to the Synchronize packet in the TCP protocol and is the first packet in the TCP three-way handshake process. The following describes a normal TCP three-way handshake process.

TCP three-way handshake process

1. When a connection starts to be established, the client sends a SYN packet to the server and waits for an acknowledgment from the server. The source IP address and port number of the SYN packet are the IP address and port number of the client.
2. After receiving the SYN packet, the server replies with a Synchronize-Acknowledgment (SYN-ACK) packet. The destination address and port number of the SYN-ACK packet are the IP address and port number of the client.
3. After receiving the SYN-ACK packet from the server, the client sends back an ACK packet. After the server receives this ACK packet, the three-way handshake is complete and the TCP connection is established.

The server continues to wait for an ACK packet until the connection times out. In this case, it is a half-open connection. Half-open connections are counted in the number of connections to the server. If the number of connections are used up, the server cannot provide normal services. Hackers leverage this mechanism to implement SYN flood.

SYN flood process

Hackers usually send a large number of SYN packets with fake source IP addresses or ports to the server to request the establishment of TCP connections. As the source IP address or port is forged, the SYN-ACK packet sent by the server will never be received or replied to by the real client. In rare cases, hackers use real source IP addresses to send massive SYN packets through attack tools. These tools do not respond to SYN-ACK packets from the server. However, the server cannot receive the ACK packet, and a large number of half-open connections are generated. In this case, the server needs to maintain a large waiting list while trying to resend SYN-ACK packets. In addition, a large number of resources cannot be released. When the server is fully occupied by these malicious half-open connections, it does not respond to new SYN packets. As a result, normal users cannot establish TCP connections.

How Can We Defend Against SYN Flood?

The purpose of SYN flood is to occupy all server connections and consume its system resources. For servers, the most direct way to defend against such attacks is to improve service capabilities, which can be achieved by creating a cluster and upgrading hardware. However, this method involves significant costs and has little impact on large numbers of attack packets. It only takes several minutes or even seconds.

As such, these attack packets must be intercepted before they reach the server. For security devices such as the firewall, SYN packets are considered normal service packets, and the firewall's security policy must allow them to pass through. Otherwise, the server cannot provide services for external users. If the IP address of the fake source is identified, the SYN packets from the source can be blocked through refined security policies. However, the administrator cannot predict which sources are fake. Even if the fake source could be identified, it is impossible to quickly and automatically configure or cancel security policies to cope with unexpected attack traffic.

In this case, the anti-DDoS system is required. This system is deployed at the network ingress to process SYN packets, identify fake source IP addresses, shield packets from these IP addresses, and transmit only valid SYN packets to the server. The anti-DDoS system processes SYN packets in two ways: source authentication and first-packet drop.