SYN Flood (semi-open attack) is a denial of service (DDoS) attack
By repeatedly sending initial Connection Request (SYN) packets, an attacker is able to overwhelm all available ports on the target server machine, causing the target device to simply not respond to legitimate traffic.
How do SYN Flood attacks work?
SYN Flood attacks work by using the three-way handshake of TCP connections.
TCP three-way handshake:
- First, the client sends a SYN packet to the server to initiate the connection.
- The server responds with this initial packet with the SYN/ACK packet to confirm communication.
- Finally, the client returns an ACK packet to acknowledge the packet received from the server.
The working process
- An attacker sends massive SYN packets to the target server, often using spoofed IP addresses.
- The server then responds to each connection request and leaves an open port ready to receive the response.
- While the server waits for a final ACK packet that never arrives, the attacker continues to send more SYN packets. The arrival of each new SYN packet causes the server to temporarily maintain new open port connections for a period of time, and once all available ports are used, the server cannot function properly.