A SYN flood is a type of denial of service (DoS) attack that sends a series of "SYN" messages to a computer, such as a web server. SYN is short for "synchronize" and is the first step in establishing communication between two systems over the TCP/IP protocol.
When a server receives a SYN request, it responds with a SYN-ACK (synchronize acknowledge) message. The computer then responds with an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN flood attack, a computer sends a large number of SYN requests, but does not send back any ACK messages. Therefore, the server ends up waiting for multiple responses, tying up system resources. If the queue of response requests grows large enough, the server may not be able respond to legitimate requests. This results in a slow or unresponsive server.
Since SYN flooding is a common type of DoS attack, most server software has the capability to detect and stop SYN floods before they have a noticeable effect on the server. For example, if a server receives a large number of SYN requests from the same IP address in a short period of time, it may temporarily block all requests from that location.
Distributed denial of service (DDoS) attacks are more difficult to handle since they flood the server from multiple IP addresses. However, these attacks can be limited by using SYN caching or implementing SYN cookies. Both of these methods record IP addresses used for flood attacks. The system then limits the resources the computer will use to respond to requests from these locations. This type of SYN flood protection can be configured directly on server or on a network firewall.
Updated: February 12, 2013