Visit us at it-sa 2024!

SYN Flood

What Is a SYN Flood?

A SYN flood is one of the most common forms of denial-of-service attacks. The attack method seeks to overload a network or server with a flood of SYN packets, making it unavailable to legitimate users. Learn how a SYN flood attack works, what dangers it poses, and how you can effectively protect your organization.

Mitigate SYN flood attacks with Myra

At one look

1. SYN Flood: a Definition
2. How Does a SYN Flood Attack Work?
3. What Types of SYN Flood Attacks Exist?
4. What Are the Dangers of SYN Flood Attacks?
5. How Can Organizations Fend off SYN Flood Attacks?
6. What You Need to Know About SYN Floods

SYN Flood: a Definition

A SYN flood is a network-based attack that exploits a vulnerability in the TCP connection establishment – the so-called three-way handshake – to overload servers with a flood of connection requests. The attacker sends massive numbers of SYN packets to the target server without reacting to its responses. This results in many half-open connections that tie up server resources and block legitimate requests.

How Does a SYN Flood Attack Work?

When a client and server want to establish a TCP connection, the process follows the so-called three-way handshake. The client first sends a SYN packet (from “synchronize”) to the server. The server responds with a SYN-ACK packet (from “acknowledge”). To successfully establish the connection, the client must now send a final ACK packet to the server to acknowledge the server's confirmation. If the client does not send the final ACK packet, a half-open connection is created in which resources are allocated on the server while it waits for the ACK packet.

In a SYN flood, the server is flooded with SYN packets and overloaded by the mass imitation of regular connection requests. The result: no new connections can be established and the server is no longer accessible.

How a SYN Flood Attack Works

The attacker sends numerous SYN packets, usually with spoofed source IP addresses.
The server responds with SYN-ACK packets and waits for the clients' confirming ACK packets.
The spoofed senders do not respond, leaving open connections on the server.
The server is flooded with half-open connections and can no longer process new requests, making it unavailable to legitimate users.
How the Regular TCP Handshake Works

The client sends a SYN packet with a random sequence number to the server to initiate a connection.
The server responds with a SYN-ACK packet that contains its own sequence number and returns the client's sequence number increased by 1 as an acknowledgement number.
The client acknowledges receipt of the SYN-ACK packet by returning an ACK packet with the server's sequence number increased by 1 as the acknowledgement number. This establishes the connection.
How a SYN Flood Attack Works

The attacker sends numerous SYN packets, usually with spoofed source IP addresses.
The server responds with SYN-ACK packets and waits for the clients' confirming ACK packets.
The spoofed senders do not respond, leaving open connections on the server.
The server is flooded with half-open connections and can no longer process new requests, making it unavailable to legitimate users.
How the Regular TCP Handshake Works

The client sends a SYN packet with a random sequence number to the server to initiate a connection.
The server responds with a SYN-ACK packet that contains its own sequence number and returns the client's sequence number increased by 1 as an acknowledgement number.
The client acknowledges receipt of the SYN-ACK packet by returning an ACK packet with the server's sequence number increased by 1 as the acknowledgement number. This establishes the connection.

Discover our customized Security-as-a-Service solutions for IT infrastructures and web applications.

Request a free demo now

What Types of SYN Flood Attacks Exist?

SYN flood attacks can be categorized into three main types:

Direct SYN Flood

A single attacker sends SYN packets from his own IP address. This attack method is not very effective and can be easily traced, which is why it is rarely used.

SYN Flood With IP Spoofing

The attacker uses spoofed source IP addresses to make tracing more difficult and to make it more challenging to differentiate between legitimate and malicious traffic.

DDoS SYN Flood

In this case, the attacker usually uses a botnet to send SYN packets from many different IP addresses simultaneously. This makes detection and defense much more difficult.

What Are the Dangers of SYN Flood Attacks?

SYN flood attacks pose a serious threat to the availability and performance of networks and server systems. The consequences of an unmitigated SYN flood can be severe:

Malfunctions or Outages

Financial Losses

Reputational Damage

Subsequent Attacks

Compliance Violations

Malfunctions or Outages
Legitimate users can access websites or web services only with delays or not at all, which leads to frustration and a loss of trust.
Financial Losses
Server downtime and service outages can cause direct financial losses. For example, every minute of downtime costs e-commerce providers serious money. In addition, there are indirect costs due to customer churn.
Reputational Damage
If it becomes known that the target had inadequate security precautions in place prior to the attack, this can cause lasting damage to an organization's reputation and in turn lead to a loss of customers.
Subsequent Attacks
SYN floods can be used as a diversion for other cyberattacks. While the security team of the affected organization is busy defending against the DDoS attack, attackers can carry out further attacks unnoticed, for example to steal or encrypt data.
Compliance Violations
Outages due to attacks can result in violations of service level agreements (SLAs), which in turn incur costs. Violations of legal or regulatory requirements can even result in legal consequences, for example if sensitive data is affected or compromised by the attack.

The Security-as-a-Service solutions from Myra provide reliable protection for your IT infrastructure and web applications against SYN floods and other cyberthreats. Ensure the security of your critical business processes proactively, sustainably and legally compliant.

Request a free demo now

How Can Organizations Fend off SYN Flood Attacks?

To protect your organization from SYN floods, the following measures are recommended:

Use of an intrusion detection system (IDS) or a firewall: IDS and modern firewalls analyze data traffic in real time and recognize suspicious attack patterns such as SYN floods. They can automatically block harmful connections and alert the security team. However, this requires continuous adjustment of the blocking rules, which is both costly in terms of time and effort and requires the appropriate know-how.
Increasing the backlog queue: The SYN backlog contains the information for establishing a TCP connection. Increasing the capacity of the backlog queue allows more connections to be stored, giving the server more time to process requests and avoid overload. However, each entry in the backlog reserves a certain amount of memory, so this defense method is limited.
Recycling the oldest half-open TCP connection: When the SYN backlog limit is reached, the server closes the oldest half-open connection and deletes it from the backlog to free up space for new connections. However, this protective measure quickly reaches its limits when attack volumes are high.

Activating SYN cookies: SYN cookies prevent the server from reserving resources for half-open connections with every new SYN request. Instead, it generates a SYN cookie, which is sent back to the client as the initial sequence number in the SYN-ACK packet. Cryptographic hashing ensures that the attacker cannot guess the sequence number. The connection is only established and resources are only reserved once the client has responded with an ACK packet and the server has verified the validity of the cookie. This method provides protection against SYN floods, but can sometimes lead to a decrease in performance.
Use of Anycast networks: Anycast distributes incoming traffic across multiple geographically separate servers and data centers. This balances the load across different locations, increasing the resilience of the network and reducing the likelihood of server failure.
Use of dedicated DDoS protection solutions: DDoS protection solutions from specialized IT security service providers detect SYN floods and other threats from malicious traffic flows in real time and block malicious requests before they reach the target system. These solutions are highly scalable and can efficiently mitigate even severe attacks that exceed the network capacity of the affected infrastructure.

What You Need to Know About SYN Floods

SYN flood attacks are a common form of DDoS attack that exploit the TCP handshake procedure to overload servers. SYN floods can take many forms, from direct attacks to complex, distributed attacks with spoofed IP addresses. By proactively taking precautions against such cyberthreats, you reduce the risk of costly service outages and ensure the continuity of your business operations.

Investing in effective security measures such as a dedicated DDoS protection solution pays off in the long term and strengthens your customers' trust in the reliability of your digital services.

Would you like to learn more about our solutions, application examples and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers, case studies and more.

Go to downloads

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions