TCP SYN Flood


TCP SYN Flood is a specific type of Denial-of-Service (DoS) attack. The attack exploits an implementation characteristic of the Transmission Control Protocol (TCP), and can be used to make server processes incapable of answering a legitimate client application’s requests for new TCP connections. [1]
Any service that binds to and listens on a TCP socket is potentially vulnerable to TCP SYN flooding attacks.
The basis of the SYN flooding attack lies in the design of the TCP 3-way handshake.The image below illustrates a normal 3-way handshake.
Each incoming SYN is allocated a Transmission Control Block – TCB (a transport protocol data structure) that holds all the information about a connection. This occupies memory space. In order to avoid memory exhaustion, operating systems generally associate a “backlog” parameter with a listening socke and this sets a cap on the number of TCBs simultaneously in the SYN-RECEIVED state.[1]

Depleting the backlog is the goal of the TCP SYN flooding attack, which attempts to send enough SYN segments to fill the entire backlog. The attacker uses source IP addresses in the SYNs that are not likely to trigger any response that would free the TCBs from the SYN-RECEIVED state. Because TCP attempts to be reliable, the target host keeps its TCBs stuck in SYN-RECEIVED for a relatively long time before giving up on the half connection and reaping them. In the meantime, service is denied to the application process on the listener for legitimate new TCP connection initiation requests.
The image below illustrates a TCP SYN flood.
Reference:
[1] Eddy, W. M. (n.d.). Defenses Against TCP SYN Flooding Attacks РThe Internet Protocol Journal РVolume 9, Number 4. Retrieved from http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-34/syn-flooding-attacks.html