TCP SYN floods are one of the oldest yet still very
popular Denial of Service (DoS) attacks. The most common attack involves
sending numerous SYN packets to the victim.
The attack in many cases will
spoof the SRC IP meaning that the reply (SYN+ACK packet) will not come back to
The intention of this attack is overwhelm the session/connection
tables of the targeted server or one of the network entities on the way
(typically the firewall). Servers need to open a state for each SYN packet that
arrives and they store this state in tables that have limited size. As big as
this table may be it is easy to send sufficient amount of SYN packets that will
fill the table, and once this happens the server starts to drop a new request,
including legitimate ones. Similar effects can happen on a firewall which also
has to process and invest in each SYN packet.
Unlike other TCP or
application level attacks the attacker does not have to use a real IP; this is
perhaps the biggest strength of the attack.