A SYN attack is a type of denial-of-service (DoS) attack in which an attacker utilizes the communication protocol of the Internet, TCP/IP, to bombard a target system with SYN requests in an attempt to overwhelm connection queues and force a system to become unresponsive to legitimate requests.
A SYN attack is also known as a TCP SYN attack or a SYN flood.
The easiest way to describe how a SYN attack works is to think about your local grocer with the ticket system to serve customers at the meat counter. Any new customer is expected to pull a new, numbered ticket from the dispenser so the grocer can service the line-up of customers in an orderly fashion.
Normally, this system works well. The grocer notes what ticket number is to be serviced next, calls out that number, the customer answers and the transaction is begun.
However, imagine if a large number of customers took tickets and the grocer patiently started calling out numbers only to have no customers respond. He would probably wait a minute or two and call another number. Eventually the whole system would break down with no transactions occurring because the grocer is too busy trying to figure out who to service.
This is the same process as a SYN attack. An attacker would send an initial request (a SYN) asking for acknowledgment from the receiving server (an ACK). The receiving server would place this in a queue with identifying information, using a small amount of memory and resources to do so. The server would expect a quick return from its acknowledgment but the attacker would not do so - or simply not respond. The server would wait for a pre-defined timeout period to discard the connection request.
In the meantime, if a large number of these requests had been hitting the server, it would eventually become overwhelmed and unresponsive.
What is important to understand about SYN attacks is the attacker does not have to use a very powerful system or large bandwidths to accomplish an attack. In fact, a typical home PC with a dial-up connection can generate sufficient activity to bring down whole websites. Couple this with the idea of distributed attacks, where malware infects a large number of computers, and it is possible to see how easy it is to cause large problems.
As a result, there is a large body of "best practices" on how to prevent this including appliances specifically designed to identify and strip out packets in a SYN flooding attack.
Read More »