What is a TCP SYN Flood DDoS Attack?

What Is A TCP SYN Flood Attack?

  • Transmission Control Protocol (TCP) uses a three-way handshake between a sender and the receiver to establish a reliable TCP connection between them.
    • First, the sender that wants to establish a connection with the receiver sends a data segment to the receiver with a Synchronize Sequence Number (SYN) to inform the receiver that the sender wants to initiate a communication and includes the sequence number it will begin.
    • The receiver responds to the sender’s request with SYN-ACK signal bits set. The ACK in the SYN-ACK signifies the acknowledgement response to the segment the receiver received.
    • In the final part of the TCP three-way handshake, the sender acknowledges (ACK) the response of the receiver and they both establish a reliable connection on which they will start the actual data transfer.
  • An attacker may use a technique called TCP SYN flood to launch a DDoS attack to exhaust the receiver’s resources.
  • The objective of a TCP SYN flood is to exhaust the receiver resources - that keep track of various states of client or sender connection - in the network and application infrastructure such as firewalls, IPS, load balancers and application servers.

How Does A TCP Flood Attack Work?

  • TCP SYN Flood attack may use spoofing the IP address in the ACK response in the three-way TCP protocol handshake - SYN, SYN-ACK, ACK. The attack may also be from a malicious sender that intentionally doesn’t send the final ACK. This type of attack may also be done through botnets.
  • By spoofing the ACK response, the receiver never receives a completed TCP handshake - the final part of the three-way communication - and may be left holding allocated resources.

How Is A SYN Flood Attack Mitigated?

  • Since the objective is to consume resources of stateful devices that need to maintain information and state of each of the client connection, you need a way to minimize allocated resources as close to completion of the three-way handshake.
  • Some of the techniques used to mitigate against TCP SYN Flood attack include:
    • Rate limiting connection requests that can be served by the receiver
    • Implementing backlog of connection requests
    • Uniquely identifying connection requests using SYN cookies
    • Recycling oldest half open client connections
    • Implementing timeout on how long to keep half open TCP connection requests
  • There are many solutions to prevent DDoS attacks using TCP SYN flood against the stateful Many IDS, IPS, firewalls, DDoS protection, load balancers and application servers now include above mentioned measures to detect and protect against these attacks.
  • These protection measures may be deployed as an appliance in your data center, as a cloud-based scrubbing service, or as a hybrid solution combining a hardware device and a cloud service.
  • Newer approaches block attacks without impacting legitimate traffic by using machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior profile and then automatically block malicious attacks. This increases protection accuracy while minimizing false positives.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center