What is SYN Flooding?

SYN flooding is a form of denial of service attack that can be launched on a computer server to overwhelm the server and not allow other users to access it. This is a somewhat older form of attack and was quite popular for a time due to the relatively low resources needed to launch it. The basic process for the attack utilizes the method by which users connect to a server through a transmission control protocol (TCP) to use all of the system’s resources. SYN flooding was once a popular form of attack, though a number of different solutions have been devised to reduce or eliminate its effectiveness on modern servers.

The basic idea behind SYN flooding utilizes the way in which users connect to servers through TCP connections. TCP uses a system called a three-way handshake that begins with a user sending a “synchronize” or SYN message to the server. The server then receives the message and sends back a “synchronize acknowledged” or SYN-ACK message to the user. Once the user’s system receives this message, a final “acknowledge” or ACK message is sent by the user to the server to establish the connection. This basic process takes place fairly quickly and ensures that both ends of the connection are synchronized.

A SYN flooding attack, however, uses this three-way handshake to tie up resources within the server, thereby preventing others from accessing the system. The SYN flooding attack begins with a SYN message sent to the server, which replies with the standard SYN-ACK response. This message goes unanswered, however, through one of several methods that result in no final ACK message being sent to the server. At this point, the server leaves resources committed to waiting for the ACK message, in case network congestion is the cause of the lack of response.

Servers only have limited resources for handling three-way handshakes, however, and many servers are designed to only handle eight such processes at a time. SYN flooding consists of eight or more SYN messages sent without the corresponding ACK message afterward, leaving all of the server’s resources committed to waiting for a response that will never come. As long as it is waiting for these messages, no other users can connect to the server. While many servers were designed to empty the queue for responses after three minutes, someone launching a SYN attack could simply resubmit eight SYN messages every three minutes to keep the system locked up indefinitely.

A number of different solutions for these types of attacks have been found, and so SYN flooding is often less successful than it was in the past. One common solution uses “SYN cookies” to allow a system to purge its queue when eight requests have been reached, allowing new users to send requests to connect to the server. If one of the older purged requests finally comes in, the cookies ensure that it is properly recognized as an ACK message and allows the user to connect to the server.