Home Search Center Intelligent Model Selection IP Encyclopedia

What Is SYN Flood?

SYN flood is one of the most original and classic Distributed Denial of Service (DDoS) attacks on the Internet. It leverages the TCP three-way handshake mechanism. An attacker typically uses tools or control zombie hosts to send a large number of TCP SYN packets with variable source IP addresses or ports to the server. After the server responds to these packets, a large number of half-open connections are generated. Once system resources have been exhausted, the server can no longer provide normal services.
Server performance is improved and additional connections are provided. For massive SYN flood packets, the key to defending against SYN flood attacks is to determine which connection requests come from genuine sources and then shield the requests from fake sources to ensure that normal service requests can be processed.

How Does SYN Flood Occur?

SYN flood, as the name implies, uses a flood of SYN packets to attack the system. A SYN packet refers to the Synchronize packet in the TCP protocol and is the first packet in the TCP three-way handshake process. The following describes a normal TCP three-way handshake process.

TCP three-way handshake process
TCP three-way handshake process

  1. When a connection starts to be established, the client sends a SYN packet to the server and waits for an acknowledgment from the server. The source IP address and port number of the SYN packet are the IP address and port number of the client.
  2. After receiving the SYN packet, the server replies with a Synchronize-Acknowledgment (SYN-ACK) packet. The destination address and port number of the SYN-ACK packet are the IP address and port number of the client.
  3. After receiving the SYN-ACK packet from the server, the client sends back an ACK packet. After the server receives this ACK packet, the three-way handshake is complete and the TCP connection is established.

The server continues to wait for an ACK packet until the connection times out. In this case, it is a half-open connection. Half-open connections are counted in the number of connections to the server. If the number of connections are used up, the server cannot provide normal services. Hackers leverage this mechanism to implement SYN flood.

SYN flood process
SYN flood process

Hackers usually send a large number of SYN packets with fake source IP addresses or ports to the server to request the establishment of TCP connections. As the source IP address or port is forged, the SYN-ACK packet sent by the server will never be received or replied to by the real client. In rare cases, hackers use real source IP addresses to send massive SYN packets through attack tools. These tools do not respond to SYN-ACK packets from the server. However, the server cannot receive the ACK packet, and a large number of half-open connections are generated. In this case, the server needs to maintain a large waiting list while trying to resend SYN-ACK packets. In addition, a large number of resources cannot be released. When the server is fully occupied by these malicious half-open connections, it does not respond to new SYN packets. As a result, normal users cannot establish TCP connections.

How Can We Defend Against SYN Flood?

The purpose of SYN flood is to occupy all server connections and consume its system resources. For servers, the most direct way to defend against such attacks is to improve service capabilities, which can be achieved by creating a cluster and upgrading hardware. However, this method involves significant costs and has little impact on large numbers of attack packets. It only takes several minutes or even seconds.

As such, these attack packets must be intercepted before they reach the server. For security devices such as the firewall, SYN packets are considered normal service packets, and the firewall's security policy must allow them to pass through. Otherwise, the server cannot provide services for external users. If the IP address of the fake source is identified, the SYN packets from the source can be blocked through refined security policies. However, the administrator cannot predict which sources are fake. Even if the fake source could be identified, it is impossible to quickly and automatically configure or cancel security policies to cope with unexpected attack traffic.

In this case, the anti-DDoS system is required. This system is deployed at the network ingress to process SYN packets, identify fake source IP addresses, shield packets from these IP addresses, and transmit only valid SYN packets to the server. The anti-DDoS system processes SYN packets in two ways: source authentication and first-packet drop.

Source Authentication

The anti-DDoS system intercepts a SYN packet sent by the client and sends a SYN-ACK packet to the client on behalf of the server. If the client does not respond, the anti-DDoS system considers it to be a fake source. If the client does respond, the system considers it to be the genuine source and whitelists its IP address. In this way, the anti-DDoS system allows all SYN packets from the source to pass through within a period of time and does not perform proxy response.

First-Packet Drop

If the anti-DDoS system responds to all SYN flood attack packets on behalf of the server, the performance bottleneck is transferred from the server to the anti-DDoS system. Once the system resources of the anti-DDoS system are exhausted, the attack packets are still transparently transmitted to the server. In addition, a large number of SYN-ACK packets cause additional pressure on the network. The anti-DDoS system uses first-packet discarding to solve this problem.

The reliability of the TCP protocol lies not only in the three-way handshake, but also in the timeout and retransmission mechanism. In normal cases, if the client does not receive the SYN-ACK response from the server within a certain period of time after sending a SYN packet, the client will resend it. The anti-DDoS system discards the first SYN packet received. In SYN flood attacks, most of the SYN packets sent by the hacker have changed source IP addresses. Consequently, all SYN packets are considered the first packets by the anti-DDoS system and are directly discarded. If the client retransmits a SYN packet, the anti-DDoS system performs source authentication on the packet. This greatly reduces the proxy pressure on the anti-DDoS system. This combination of first-packet discarding and source authentication effectively defends against SYN flood attacks, especially those attacks from fake source IP addresses and ports.

About This Topic
  • Author: Wang Haoda
  • Updated on: 2021-09-30
  • Views: 5499
  • Average rating:
Share link to