Section 5.3 SYN Flood Attack Explained

5.3 SYN Flood Attack Explained

Recall the discussion about the three-way ACK in "TCP Sequence Spoofing Explained" on page 243. Note that after the client has sent a SYN packet to the server, the server notes this on a queue of connections waiting to complete and sends a SYN/ACK back to the client and eagerly waits for an ACK packet that completes the connection. The server waits so eagerly and expectantly that it allocates some temporary resources (the queue entry) "knowing" that the ACK packet will be there within a second or two.

In a SYN flood attack, also known as a half-open attack, the client (the cracker) never sends the final ACK message. Instead it sends another SYN with a different forged source address, causing more server resources to be allocated. Note that the client has not spent any resources because it is using raw sockets to send arbitrary packets.

Because, until recently, most operating systems could not have more than a small number of these "half-open" sockets before running out of resources, this would effectively shut down a server very quickly. Defeating these attacks is explained in the next section. This SYN flood attack first came to light when venerable New York City ISP Panix was taken down by it. They never knew what hit them at first.