two people shaking hands over a wooden table
Wed Jul 26

Understanding SYN Flood Attack: A Guide to Detection and Prevention

Do you know what happens when you try to access a website or an online service and you get an error message saying that the server is not responding or the connection is timed out? You may think that the server is down or there is a problem with your internet connection. But sometimes, the reason behind this error is more sinister. It could be that the server is under a malicious attack that prevents it from serving legitimate requests. This type of attack is called a denial-of-service (DoS) attack.

One of the most common and classic DoS attacks on the Internet is called a SYN flood attack. It targets a vulnerability in the TCP protocol, which is used to establish reliable communication between devices. A SYN flood attack can overwhelm a server with connection requests and render it unable to respond to legitimate traffic. It can cause network congestion, service disruption, and server unresponsiveness.

In this article, we will explain what is a SYN flood attack, how it works, what are its impacts, and how to detect and prevent it. By understanding this threat, you can better protect your network and server from malicious attackers.

How does a SYN flood attack work?

To understand how a SYN flood attack works, we need to first understand how a normal TCP connection is established. This process is called the TCP three- way handshake, and it involves three steps:

  • The client requests a connection by sending a SYN (synchronize) packet to the server.
  • The server acknowledges the request by sending a SYN-ACK (synchronize-acknowledge) packet back to the client.
  • The client responds with an ACK (acknowledge) packet, and the connection is established.

In a SYN flood attack, the attacker sends repeated SYN packets to every port on the target server, often using a fake or spoofed IP address. The server, unaware of the attack, responds with SYN-ACK packets to each request. However, the attacker either does not send the expected ACK packets or never receives them if the IP address is spoofed. This leaves many connections half-open on the server side, meaning that they are not completed or closed.

The server has to allocate resources for each half-open connection, such as memory and CPU time. It also has to wait for some time before timing out each connection. However, before the connection can time out, another SYN packet arrives. This creates an increasingly large number of half-open connections on the server side, which consume its resources and prevent it from accepting new connections. Eventually, the server becomes unresponsive to legitimate traffic and suffers from denial of service.

What are the impacts of a SYN flood attack?

A SYN flood attack can have serious impacts on both the target server and its users. Some of the consequences are:

  • Network saturation : The attacker can send more SYN packets than the bandwidth of the target network can handle. This can cause network congestion and packet loss for both incoming and outgoing traffic.
  • Service disruption : The target server can become unable to process legitimate requests from its users due to resource exhaustion or network overload. This can affect its availability and performance and cause service degradation or outage.
  • Server unresponsiveness : The target server can become so overwhelmed by half-open connections that it stops responding to any traffic at all. This can cause system malfunction or crash and require manual intervention to restore functionality.

A SYN flood attack can also cause financial losses, reputational damages, legal liabilities, and customer dissatisfaction for the target server and its owners. For example:

  • In 2006, a massive SYN flood attack targeted six of the thirteen root DNS servers that provide domain name resolution for the Internet. The attack lasted for about an hour and caused some servers to lose up to 90% of their normal traffic. Although the attack did not affect the overall functionality of the Internet, it exposed the vulnerability of the critical infrastructure and raised security concerns.
  • In 2014, a SYN flood attack targeted GitHub, a popular platform for hosting and collaborating on software projects. The attack lasted for about 15 minutes and caused intermittent outages and slowdowns for GitHub users. The attack was attributed to a Chinese group that was unhappy with GitHub hosting some anti-censorship projects.
  • In 2018, a SYN flood attack targeted ProtonMail, a secure email service provider. The attack lasted for several days and caused service disruptions and delays for ProtonMail users. The attack was part of a larger campaign that also targeted other encrypted communication services, such as Signal and Telegram.

How to detect and prevent a SYN flood attack?

There are several techniques and tools that can help detect and prevent SYN flood attacks. Some of the common ones are:

  • Micro blocks : This technique reduces the amount of resources allocated for each incoming SYN request. Instead of creating a full connection object, the server creates a micro-record (as few as 16 bytes) in its memory for each request. This allows the server to handle more requests without exhausting its resources.
  • SYN cookies : This technique uses cryptographic hashing to encode information about the connection in the sequence number of the SYN-ACK packet. The server does not create any connection object until it receives the ACK packet from the client. The ACK packet contains the same sequence number as the SYN-ACK packet, which allows the server to verify and reconstruct the connection.
  • Firewalls : A firewall is a device or software that monitors and filters network traffic based on predefined rules. A firewall can block or limit incoming SYN packets from suspicious sources, such as spoofed IP addresses, unknown ports, or excessive rates. A firewall can also drop half-open connections that exceed a certain threshold or timeout period.
  • Load balancers : A load balancer is a device or software that distributes network traffic across multiple servers based on their availability and capacity. A load balancer can help mitigate SYN flood attacks by distributing the load among multiple servers and reducing the impact on any single server.
  • Intrusion detection and prevention systems (IDS/IPS) : An IDS/IPS is a device or software that monitors and analyzes network traffic for signs of malicious activity. An IDS/IPS can detect SYN flood attacks by looking for anomalies or patterns in the traffic, such as high volume of SYN packets, low ratio of ACK packets, or high number of half-open connections. An IDS/IPS can also prevent SYN flood attacks by blocking or alerting about the malicious traffic.

In addition to these techniques and tools, there are some best practices that can help enhance network security and resilience against SYN flood attacks. Some of them are:

  • Monitoring network traffic : It is important to monitor network traffic regularly and look for any unusual or suspicious activity, such as spikes in SYN packets, drops in ACK packets, or increases in half-open connections. Monitoring network traffic can help detect SYN flood attacks early and take appropriate actions to mitigate them.
  • Updating software : It is important to keep software updated with the latest patches and security fixes. Software updates can help fix vulnerabilities and bugs that may be exploited by attackers to launch SYN flood attacks or other types of attacks.
  • Educating users : It is important to educate users about network security and how to protect themselves from SYN flood attacks or other types of attacks. Users should be aware of the risks and consequences of clicking on malicious links, opening suspicious attachments, or downloading untrusted software. Users should also use strong passwords, enable two-factor authentication, and avoid using public Wi-Fi networks.

Conclusion

A SYN flood attack is a type of denial-of-service attack that exploits a vulnerability in the TCP protocol to overwhelm a server with connection requests and render it unresponsive to legitimate traffic. It is one of the most common and classic DoS attacks on the Internet, and it can have serious impacts on both the target server and its users.

To detect and prevent SYN flood attacks, there are several techniques and tools that can help mitigate them, such as micro blocks, SYN cookies, firewalls, load balancers, IDS/IPS, etc. There are also some best practices that can help enhance network security and resilience against SYN flood attacks, such as monitoring network traffic, updating software, educating users, etc.

By understanding what is a SYN flood attack, how it works, what are its impacts, and how to detect and prevent it, you can better protect your network and server from malicious attackers.