What Is A TCP SYN Flood Attack?
A TCP SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process to overwhelm a target system. In a typical TCP connection, a three-way handshake is used to establish communication between a client and a server. The attacker disrupts this process by sending a large number of SYN (synchronize) requests to the target system but never completing the handshake.
These incomplete connections cause the server to allocate resources for each request, eventually exhausting its capacity to handle legitimate traffic. This can lead to degraded performance or complete unavailability of the server. TCP SYN flood attacks are particularly effective against systems that are not equipped with adequate protections like firewalls or connection rate limiting.
This information is part of a series of articles focused on DDoS.
What is a TCP SYN Flood? | A Radware Minute
In this article:
A SYN flood DDoS attack is dangerous because it targets the fundamental mechanisms of network communication, making it difficult to distinguish malicious traffic from legitimate connection requests. The attack can overwhelm not just the target server, but also upstream infrastructure like firewalls, load balancers, and intrusion prevention systems (IPS), causing widespread disruption. Major risks include:
- Resource exhaustion. During a SYN flood, the server allocates memory and processing power to manage incomplete connections. If the attack persists, the server's ability to handle new, legitimate connections is severely compromised, leading to performance degradation or a complete denial of service.
- Use of spoofed IP addresses makes mitigation challenging. Since the attacker disguises the origin of the SYN packets, tracing the source of the attack becomes difficult. This complicates efforts to block malicious traffic and restore normal operations.
- Large-scale distributed attacks, in which multiple sources flood the target with SYN packets, increasing the volume of traffic and making it harder to filter out malicious connections. This scalability makes SYN flood attacks highly effective against unprotected systems.
Related content: Read our guide to ddos examples.
A TCP SYN flood attack exploits the three-way handshake of the TCP protocol:
- SYN packet sent by the attacker: The attacker sends a SYN packet, which is the initial request to establish a TCP connection, to the target server. The attacker typically uses spoofed IP addresses to make tracing difficult.
- SYN-ACK response from the server: The server responds with a SYN-ACK (synchronize-acknowledge) packet, indicating that it is ready to complete the connection. The server also allocates resources to maintain the state of this connection.
- Connection left incomplete: Instead of sending the final ACK (acknowledge) to complete the handshake, the attacker either does nothing or sends more SYN packets. This leaves the server waiting for a response, tying up its resources.
By repeating this process with many SYN packets, the attacker forces the server to allocate resources for each pending connection, eventually exhausting its ability to handle legitimate requests. This can disrupt normal operations, especially for systems that do not have mechanisms to detect or mitigate such attacks.
Direct
In a direct SYN flood attack, the attacker uses their own IP address or a small number of actual IP addresses to send a high volume of SYN packets to the target system. The attacker doesn’t disguise their identity, making it easier to identify the source. However, the sheer volume of requests overwhelms the server's ability to process them.
Direct attacks often rely on the attacker's ability to generate a large amount of traffic, such as by using high-bandwidth servers or multiple machines. These attacks may be less sophisticated than spoofed or distributed attacks but can still disrupt operations, especially if the target lacks adequate protections like rate limiting or SYN cookies.
Spoofed
In a spoofed SYN flood attack, the attacker manipulates the source IP address in the SYN packets to make them appear as though they are coming from multiple different or random IP addresses. This technique prevents the target server from identifying the actual source of the attack and adds complexity to mitigation efforts. The server responds to these SYN packets with SYN-ACKs, sending them to the spoofed addresses. Because these addresses are not legitimate or are not expecting such responses, the connection remains incomplete, leaving the server waiting indefinitely for the final ACK.
Spoofed attacks are particularly effective because they amplify resource exhaustion. The target system not only wastes CPU and memory tracking half-open connections but also consumes bandwidth sending SYN-ACK responses to non-existent or unreachable IPs. This makes it challenging to differentiate between legitimate users and malicious traffic, increasing the risk of collateral damage when filtering connections.
Distributed
A distributed SYN flood attack, typically a part of a distributed denial-of-service (DDoS) campaign, involves multiple devices sending SYN packets to the target simultaneously. These devices are often part of a botnet, which is a network of compromised machines controlled by the attacker. Each device in the botnet sends a relatively small number of SYN packets, but the collective traffic volume is overwhelming.
Distributed attacks are harder to mitigate because the traffic comes from many legitimate IPs across the internet. Filtering or blocking traffic based on IP addresses can inadvertently block legitimate users. Additionally, the attackers may use techniques like IP rotation or low-and-slow attacks, further complicating detection.
The distributed nature of these attacks also increases their scale and impact. By leveraging thousands or even millions of devices, attackers can target not just the server but the broader network infrastructure, including firewalls, load balancers, and ISPs. This makes distributed SYN flood attacks one of the most dangerous and effective forms of DDoS attacks.
Detecting a SYN flood DDoS attack early is crucial to minimizing its impact. These attacks disrupt normal network operations by overwhelming servers with incomplete TCP handshake requests. Recognizing the warning signs can help identify the attack in progress and allow for timely mitigation.
Here are the key indicators to look for:
- Unresponsive services: Servers or applications become slow or unresponsive due to resource exhaustion caused by a large number of incomplete TCP connections.
- High CPU and memory usage: The target system's CPU and memory usage may spike abnormally as it struggles to manage an excessive number of half-open connections.
- Network bandwidth saturation: A sudden and unexplained increase in network traffic—especially SYN packets—can indicate a SYN flood attack in progress.
- Large number of SYN packets: Network monitoring tools may reveal an unusually high number of incoming SYN packets, often originating from multiple IP addresses or spoofed sources.
- Inability to establish new connections: Legitimate users may face difficulties establishing new connections with the server as resources are tied up handling incomplete requests.
- Logs showing incomplete handshakes: Server logs might display an overwhelming number of SYN requests without corresponding ACK responses, indicating a flood of incomplete TCP handshakes.
1. SYN Cookies
SYN cookies are a lightweight and effective mitigation strategy for SYN flood attacks. When a server receives a SYN packet, instead of immediately allocating resources to track the connection, it encodes essential information into the SYN-ACK response. This encoded information includes details like the initial sequence number and connection parameters, enabling the server to verify the legitimacy of the connection later.
The key advantage of SYN cookies is that they prevent the server from being overwhelmed by half-open connections, as no memory or resources are allocated until the handshake is completed. This makes it especially useful during large-scale attacks where thousands or even millions of SYN requests are sent simultaneously. While this approach slightly increases CPU usage for packet verification, it drastically reduces the server's vulnerability to resource exhaustion. Additionally, since SYN cookies adhere to the TCP protocol, they do not interfere with legitimate connections.
2. Load Balancing
Load balancing is a powerful tool for mitigating SYN flood attacks by distributing incoming traffic across multiple servers or network nodes. By spreading the load, it prevents a single server from becoming overwhelmed by malicious traffic. Load balancers use algorithms such as round-robin, least connections, or IP hashing to efficiently distribute traffic among available resources.
Advanced load balancers can detect unusual traffic patterns, such as a sudden spike in SYN requests, and take action by redirecting malicious traffic to null routes or applying rate limiting. Some load balancers also integrate with security tools like web application firewalls (WAFs) and intrusion detection systems (IDS) to provide layered protection. Load balancing not only mitigates SYN flood attacks but also enhances overall network performance and reliability by ensuring redundancy and failover capabilities.
3. Rate Limiting
Rate limiting is a simple yet effective technique to control the volume of incoming traffic, particularly during a SYN flood attack. By setting a limit on the number of SYN packets that can be processed per second or per IP address, rate limiting helps prevent servers from being overwhelmed by excessive requests. This approach is especially useful in slowing down direct attacks, where the attacker does not spoof IP addresses.
Rate limiting can be implemented at various points in the network, such as firewalls, load balancers, or application servers. It is often configured to allow a baseline level of traffic while throttling or blocking requests that exceed the defined threshold. However, rate limiting requires careful configuration to strike a balance between blocking malicious traffic and allowing legitimate users to access the service, particularly during peak usage periods.
4. Increasing Backlog Queue
Increasing the size of the backlog queue is a straightforward way to improve a server’s ability to handle SYN flood attacks. When a TCP connection is initiated, the server places the connection request in a queue until the handshake is completed or the request times out. By enlarging this queue, the server can accommodate more half-open connections, reducing the likelihood of resource exhaustion during an attack.
However, this method has limitations. A larger backlog queue consumes additional memory, which can itself become a resource constraint if the attack volume is high enough. It is best used as part of a broader defense strategy, such as combining it with SYN cookies or rate limiting. Increasing the backlog queue provides a temporary buffer, allowing legitimate connections more time to complete during an attack, but it does not address the root cause of the flood.
5. Content Delivery Networks
Content delivery networks (CDNs) play a significant role in mitigating SYN flood attacks by distributing incoming traffic across a global network of servers. When a SYN flood attack occurs, the CDN absorbs and processes the malicious traffic at edge servers located closer to the attacker, preventing it from reaching the origin server. This reduces the strain on the target system and ensures continued availability for legitimate users.
Many CDNs use advanced traffic filtering techniques to identify and block attack traffic, such as detecting unusual patterns like a surge in SYN packets or requests from specific geographic regions. CDNs can also apply rate limiting, challenge-response mechanisms, or other techniques to prevent malicious traffic from overwhelming the infrastructure. Additionally, their distributed architecture increases redundancy and provides extra resilience against large-scale attacks. By offloading traffic to a CDN, organizations can maintain performance and reliability even under a sustained SYN flood attack.
6. Machine Learning and Behavioral Based Detection
Machine learning and behavior-based detection offer advanced methods for identifying and mitigating SYN flood attacks in real-time. These systems analyze network traffic patterns and learn the typical behavior of legitimate users. When an anomaly—such as a sudden surge in SYN packets from unknown sources—is detected, the system can take automated action, such as blocking or rate-limiting suspicious traffic. Unlike static defenses, machine learning models continuously adapt to evolving attack techniques, improving their effectiveness over time.
Behavior-based detection systems can also correlate multiple indicators of an attack, such as incomplete handshakes, high connection request rates, and unusual geographic traffic distribution. By leveraging artificial intelligence (AI) and data analytics, these systems can distinguish between legitimate traffic spikes and actual SYN flood attacks, reducing false positives. This proactive approach allows organizations to respond dynamically to threats, preventing service disruptions while maintaining access for real users.
Radware offers several solutions that protect against SYN flood attacks:
- DefensePro: This real-time network attack mitigation device safeguards against various cyber threats, including SYN flood attacks. DefensePro employs behavior-based detection technology to identify and mitigate SYN floods by monitoring traffic patterns and distinguishing between legitimate and malicious activities.
- Cloud DDoS Protection Service: Radware's Cloud DDoS Protection Service offers advanced, multi-layered defense against Distributed Denial of Service (DDoS) attacks, including SYN floods. It uses sophisticated behavioral algorithms to detect and mitigate threats at both the network (L3/4) and application (L7) layers.
- Alteon Application Delivery Controller (ADC): Alteon ADC offers integrated security features, including protection against SYN flood attacks. It utilizes SYN cookies and other rate-limiting techniques to manage and mitigate SYN floods, ensuring the availability and reliability of applications.
- Alteon Integrated WAF: Radware's Alteon Integrated Web Application Firewall includes mechanisms to protect against various DDoS attacks, including SYN floods. By inspecting incoming traffic and enforcing security policies, it can identify and block malicious connection attempts.
Learn more in our detailed guide to syn flood.