SYN Attack

Why Trust Techopedia

What Does SYN Attack Mean?

A SYN attack is a type of denial-of-service (DoS) attack in which an attacker utilizes the communication protocol of the Internet, TCP/IP, to bombard a target system with SYN requests in an attempt to overwhelm connection queues and force a system to become unresponsive to legitimate requests.


A SYN attack is also known as a TCP SYN attack or a SYN flood.

Techopedia Explains SYN Attack

The easiest way to describe how a SYN attack works is to think about your local grocer with the ticket system to serve customers at the meat counter. Any new customer is expected to pull a new, numbered ticket from the dispenser so the grocer can service the line-up of customers in an orderly fashion.

Normally, this system works well. The grocer notes what ticket number is to be serviced next, calls out that number, the customer answers and the transaction is begun.

However, imagine if a large number of customers took tickets and the grocer patiently started calling out numbers only to have no customers respond. He would probably wait a minute or two and call another number. Eventually the whole system would break down with no transactions occurring because the grocer is too busy trying to figure out who to service.

This is the same process as a SYN attack. An attacker would send an initial request (a SYN) asking for acknowledgment from the receiving server (an ACK). The receiving server would place this in a queue with identifying information, using a small amount of memory and resources to do so. The server would expect a quick return from its acknowledgment but the attacker would not do so – or simply not respond. The server would wait for a pre-defined timeout period to discard the connection request.

In the meantime, if a large number of these requests had been hitting the server, it would eventually become overwhelmed and unresponsive.

What is important to understand about SYN attacks is the attacker does not have to use a very powerful system or large bandwidths to accomplish an attack. In fact, a typical home PC with a dial-up connection can generate sufficient activity to bring down whole websites. Couple this with the idea of distributed attacks, where malware infects a large number of computers, and it is possible to see how easy it is to cause large problems.

As a result, there is a large body of "best practices" on how to prevent this including appliances specifically designed to identify and strip out packets in a SYN flooding attack.


Related Terms

Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.