In this blog post the reader will come across information regarding SYN Floods – what they are and how they work. Shortly the SYN Flood is type of denial-of-service attack and is used to make a targeted machine not responding. I have chosen this topic because previously in class we studied and I wrote about the denial-of-service attacks and I wanted to improve my knowledge on their different types. I think that this topic is highly relevant to the IT security, because it is a violent action against the set order of the network security.
A SYN Flood is a type of denial-of-service attack (DoS), where the attacker initiates the sending of a series of SYN requests (in a certain order) to a targeted system. There are systems that can misdetect a SYN Flood when being scanned for open proxies. This is commonly done by IRC servers and services. They are not SYN Floods – just an automated system for checking the connecting IP.
Basically the SYN Flood attack sends TCP connections requests, to a target machine, faster than it can process them. Each packet, sent by the attacker, has a random source address and the SYN flag set in it is a request to open a new connection to the server. The targeted machine responds to the fake IP addresses and waits (sometimes more than 1 minute) for confirmation that never arrives. Because of the huge number of received requests, the victim machine’s table fills up and this way the real users are not provided with access to the server. If the attack is stopped, the victim machine returns to a normal working state, because nowadays the operating systems manage the resources better and rarely crash from SYN Floods.
Below in figure 1 can be seen the initiation of the SYN Flood attack. The attacker initiates as much as possible SYN requests with fake IPs and the victim machine responds to a black hole (has no real destination).
Below in figure 2 can be seen the result of the SYN Flood attack, where the User tries to connect to the server, but doesn’t get a reply. The reason is that the server’s tables are filled up and they cannot handle new requests.