| Family | Network Attacks |
| Attack Vector | SYN Flood |
| Variants | Tsunami SYN Flood |
| DRS ID | 11001 |
| Supports spoofing | Yes |
| Capture file example |
Description
TCP SYN Flood is a network DDoS attack comprising numerous TCP SYN packets that are sent to the victim. It is one of the oldest attacks in DDoS history, yet is still very common and effective. It exploits the fundamental process of the ‘TCP three-way handshake’. This process is the foundation for every connection established using the TCP protocol.
In the normal TCP handshake process, there are three messages exchanged between the server and the client, ensuring a protected connection. In this method, the client sends a SYN message to the server and, by that, requests to start a connection. The server acknowledges the request and sends a SYN-ACK back to the client. Finally, the client responds with a ACK, and the connection is established.
In SYN Flood, the the attack only sends the SYN packets; it does not bother to process them. The attack creates “half-open connections” that consume the server’s resources and might exceed their availability, causing the server to become unavailable to any user, particularly legitimate ones who can’t get the provided service. A SYN attack can arrive from a spoofed source IP address; in fact, it is the only non-out-of-state TCP attack that can do this, which is the reason for its strength.
Impact
A SYN attack will typically impact the firewall or other stateful devices as well as the server itself, but it can also impact the load balancer and even IPS/IDS.
Mitigation
| Technology | Description |
| Challenges | ✔ SYN Cookies |
| Proxy | ✔ |
| State/Anomaly protection | |
| Caching | |
| Rate limit | |
| Signatures | |
| Behavioral |