What is a SYN Flood Attack?
A SYN Flood is a common form of Denial-of-Service (DDoS) attack that can target any system connected to the Internet and providing Transmission Control Protocol (TCP) services (e.g. web server, email server, file transfer). A SYN flood is a type of TCP State-Exhaustion Attack that attempts to consume the connection state tables present in many infrastructure components, such as load balancers, firewalls, Intrusion Prevention Systems (IPS), and the application servers themselves. This type of attack can take down even high-capacity devices capable of maintaining millions of connections.
What Are the Signs of a SYN Flood Attack?
A SYN Flood occurs when the TCP layer is saturated, preventing the completion of the TCP three-way handshake between client and server on every port.
Every connection using the TCP protocol requires the three-way handshake, which is a set of messages exchanged between the client and server:
- The three-way handshake is initiated when the client system sends a SYN message to the server
- The server then receives the message and responds with a SYN-ACK message back to the client
- Finally, the client confirms the connection with a final ACK message
The purpose of this exchange is to validate the authenticity of each party and to establish the encryption key and options that will secure subsequent communications. This process must be completed before a communications port between the client and server can become fully open and available.
A TCP SYN flood attack occurs when the attacker floods the system with SYN requests in order to overwhelm the target and make it unable to respond to new real connection requests. It drives all of the target server’s communications ports into a half-open state.
Why is a SYN Flood Attack Dangerous?
Unlike other types of DDoS attacks, SYN flood attacks are not intending to use up all of the host’s memory, but rather, to exhaust the reserve of open connections connected to a port, from individual and often phony IP addresses. SYN floods are often called “half-open” attacks because this type of attack intends to send a short burst of SYN messages into the ports, leaving insecure connections open and available, and often resulting in a complete server crash.
How to Mitigate and Prevent a SYN Flood Attack
Firewalls and IPS devices, while critical to network security, are not adequate to protect against complex DDoS attacks. Today’s more sophisticated attack methodologies require a multi-faceted approach that enables users to look across both Internet infrastructure and network availability. Some of the capabilities to consider for stronger DDoS protection and faster mitigation of TCP SYN flood attacks include:
- Support of both inline and out-of-band deployment to ensure there is not one single point of failure on the network.
- Broad network visibility with the ability to see and analyze traffic from different parts of the network
- Varied sources of threat intelligence, including statistical anomaly detection, customizable threshold alerts and fingerprints of known or emerging threats in order to assure fast and accurate detection
- Scalability to manage attacks of all sizes, ranging from low-end (e.g., 1Gbps) to high end (e.g., 40Gbps)