Results of a syn (synchronize) flood attack

Every time you attempt to connect to another computer, the two devices have a quick conversation. A SYN attack hijacks this connection process.

If a SYN attack persists, it can tie up so many resources that an entire computer network can crash. Denial-of-service attacks (DoS) like this are among the most destructive and deadly issues any network administrator might encounter. 

We'll outline how a SYN flood attack begins, and then we'll tell you more about how to recover from them. We'll discuss how to prevent the next attack too.

What does a SYN-flood attack look like? 

Every day, your computer has hundreds of tiny conversations with other servers. You're responsible for some of the content. But some of it happens far behind the scenes. This background chatter starts a SYN-flood attack. 

Your computer uses the transmission control protocol/internet protocol (TCP/IP) to communicate. A three-part handshake starts the process.

1. Begin: Your computer sends a SYN (or synchronise) message to the server. 
2. Acknowledge: The server sends back a SYN-ACK (or synchronise acknowledge) note back to you. 
3. Repeat acknowledge: Your computer sends an ACK note to establish the connection. 

A SYN-flood attack can involve:

• Muting. A computer never responds with the final ACK message. 
• Spoofing. A computer starts the conversation from a faked origin point. The server's responses go to a computer that didn't request them, and the computer ignores them. 
• Repeating. A computer sends SYN messages over and over, and the server can't handle so many requests. 

A SYN target can't close the conversation once it begins. It must wait for the computer that started the handshake to end it. During a flood, the server has several requests open while more come in. Eventually, the server breaks under the pressure. 

How to recover from a SYN-flood attack (also known as a TCP attack) 

With a DoS issue in play, it's impossible to do your work. Servers work slowly, or the entire system crashes. Rebooting doesn't help, as the attack resumes as soon as your computer is functional. But there are some steps you can take to wrest control from your attackers. 

The IETE Trust recommends:

• Filtering. Use tools to block hackers from spoofing their IP addresses. This method can't eliminate the possibility of future problems, as hackers might jump to a new address every few minutes or so. But this roadblock may slow them down a bit.
• Enlarging your backlog. Increase the number of half-open requests your server can accommodate. With enhanced capacity, it's harder to crash your server. 
• Shortening your timers. Amend your server's clock, and close incomplete connections quicker. 
• Recycling the oldest half-open TCP connection. Establish legitimate connections quickly so they don't get caught in the flood of malicious requests. 
• Amending connection options. Use cookies or caches to split good requests from faulty versions. 

You might also use firewalls to screen connection requests. Create settings so only complete requests can pass through the firewall to your server.

Can you prevent SYN flooding? 

If an attack is successful, your servers become unavailable until you fix the problem. If your system goes down in the middle of the night, you could spend sleepless hours going over your code and your systems to correct the problem. If you can prevent it, you'll save both time and hassle. 

You can use some of the same steps to recover from an attack as you use in your prevention efforts. For example, using filters and changing your timers and backlog make an attack harder to launch. These strengthening steps make your system more immune to the techniques. 

Some experts say the only way to truly prevent SYN flooding is to change the way TCP/IP protocols work. You can't do this as a system administrator. But you can use all the tools at your disposal to make your server as impervious to attacks as possible. 

At Okta, we can help. Learn why more than 10,650 global brands trust Okta to secure their digital interactions with employees and customers.

References

Transmission Control Protocol (TCP). (September 1999). Stanford University. 

TCP SYN Flooding Attacks and Common Mitigations. (August 2007). The IETF Trust.

DDoS SYN Flooding: Mitigation and Prevention. (December 2014). International Journal of Scientific and Engineering Research. 

A normal connection between a user (Alice) and a server. The three-way handshake is correctly performed.

SYN Flood. The attacker (Mallory) sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.[1][2]

The packet that the attacker sends is the SYN packet, a part of TCP's three-way handshake used to establish a connection.[3]

Technical details[edit]

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.

A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it "knows" that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.

Countermeasures[edit]

There are a number of well-known countermeasures listed in RFC 4987 including:

1. Filtering
2. Increasing backlog
3. Reducing SYN-RECEIVED timer
4. Recycling the oldest half-open TCP
5. SYN cache
6. SYN cookies
7. Hybrid approaches
8. Firewalls and proxies

See also[edit]

• Fraggle attack
• Internet Control Message Protocol
• IP address spoofing
• Ping flood
• Smurf attack
• UDP flood attack

References[edit]

1. ^ "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks" (PDF). Carnegie Mellon University Software Engineering Institute. Archived from the original on 2000-12-14. Retrieved 18 September 2019.
2. ^ New York's Panix Service Is Crippled by Hacker Attack, New York Times, September 14, 1996
3. ^ "What is a DDoS Attack?". Cloudflare.com. Cloudflare. Retrieved 4 May 2020.

External links[edit]

• Official CERT advisory on SYN Attacks

What happens in a SYN flood attack?

What does a SYN attack do?

What response is missing in a SYN flood attack?

How does a SYN flooding attack cause the victim server to freeze?