DDoS Glossary

SYN Flood

Family Network Attacks
Attack Vector SYN Flood
Variants Tsunami SYN Flood
DRS ID 11001
Supports spoofing Yes
Capture file example  


TCP SYN Flood is a network DDoS attack comprising numerous TCP SYN packets that are sent to the victim. It is one of the oldest attacks in DDoS history, yet is still very common and effective. It exploits the fundamental process of the ‘TCP three-way handshake’. This process is the foundation for every connection established using the TCP protocol.

In the normal TCP handshake process, there are three messages exchanged between the server and the client, ensuring a protected connection. In this method, the client sends a SYN message to the server and, by that, requests to start a connection. The server acknowledges the request and sends a SYN-ACK back to the client. Finally, the client responds with a ACK, and the connection is established.

In SYN Flood, the the attack only sends the SYN packets; it does not bother to process them. The attack creates “half-open connections” that consume the server’s resources and might exceed their availability, causing the server to become unavailable to any user, particularly legitimate ones who can’t get the provided service. A SYN attack can arrive from a spoofed source IP address; in fact, it is the only non-out-of-state TCP attack that can do this, which is the reason for its strength.



A SYN attack will typically impact the firewall or other stateful devices as well as the server itself, but it can also impact the load balancer and even IPS/IDS.


Technology Description
Challenges ✔ SYN Cookies
State/Anomaly protection  
Rate limit