Defining SYN Flood DDoS Attacks: Definition, Damage & Defense

Every time you attempt to connect to another computer, the two devices have a quick conversation. A SYN attack hijacks this connection process.

If a SYN attack persists, it can tie up so many resources that an entire computer network can crash. Denial-of-service attacks (DoS) like this are among the most destructive and deadly issues any network administrator might encounter. 

We'll outline how a SYN flood attack begins, and then we'll tell you more about how to recover from them. We'll discuss how to prevent the next attack too.

What does a SYN-flood attack look like? 

Every day, your computer has hundreds of tiny conversations with other servers. You're responsible for some of the content. But some of it happens far behind the scenes. This background chatter starts a SYN-flood attack. 

Your computer uses the transmission control protocol/internet protocol (TCP/IP) to communicate. A three-part handshake starts the process.

  1. Begin: Your computer sends a SYN (or synchronise) message to the server. 
  2. Acknowledge: The server sends back a SYN-ACK (or synchronise acknowledge) note back to you. 
  3. Repeat acknowledge: Your computer sends an ACK note to establish the connection. 

A SYN-flood attack can involve:

  • Muting. A computer never responds with the final ACK message. 
  • Spoofing. A computer starts the conversation from a faked origin point. The server's responses go to a computer that didn't request them, and the computer ignores them. 
  • Repeating. A computer sends SYN messages over and over, and the server can't handle so many requests. 

A SYN target can't close the conversation once it begins. It must wait for the computer that started the handshake to end it. During a flood, the server has several requests open while more come in. Eventually, the server breaks under the pressure. 

How to recover from a SYN-flood attack (also known as a TCP attack) 

With a DoS issue in play, it's impossible to do your work. Servers work slowly, or the entire system crashes. Rebooting doesn't help, as the attack resumes as soon as your computer is functional. But there are some steps you can take to wrest control from your attackers. 

The IETE Trust recommends:

  • Filtering. Use tools to block hackers from spoofing their IP addresses. This method can't eliminate the possibility of future problems, as hackers might jump to a new address every few minutes or so. But this roadblock may slow them down a bit.
  • Enlarging your backlog. Increase the number of half-open requests your server can accommodate. With enhanced capacity, it's harder to crash your server. 
  • Shortening your timers. Amend your server's clock, and close incomplete connections quicker. 
  • Recycling the oldest half-open TCP connection. Establish legitimate connections quickly so they don't get caught in the flood of malicious requests. 
  • Amending connection options. Use cookies or caches to split good requests from faulty versions. 

You might also use firewalls to screen connection requests. Create settings so only complete requests can pass through the firewall to your server.

Can you prevent SYN flooding? 

If an attack is successful, your servers become unavailable until you fix the problem. If your system goes down in the middle of the night, you could spend sleepless hours going over your code and your systems to correct the problem. If you can prevent it, you'll save both time and hassle. 

You can use some of the same steps to recover from an attack as you use in your prevention efforts. For example, using filters and changing your timers and backlog make an attack harder to launch. These strengthening steps make your system more immune to the techniques. 

Some experts say the only way to truly prevent SYN flooding is to change the way TCP/IP protocols work. You can't do this as a system administrator. But you can use all the tools at your disposal to make your server as impervious to attacks as possible. 

At Okta, we can help. Learn why more than 10,650 global brands trust Okta to secure their digital interactions with employees and customers.

References

Transmission Control Protocol (TCP). (September 1999). Stanford University. 

TCP SYN Flooding Attacks and Common Mitigations. (August 2007). The IETF Trust.

DDoS SYN Flooding: Mitigation and Prevention. (December 2014). International Journal of Scientific and Engineering Research.