This article needs additional citations for verification. (January 2017) (Learn how and when to remove this template message)
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of
SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
- The client requests a connection by sending a
SYN(synchronize) message to the server.
- The server acknowledges this request by sending
SYN-ACKback to the client.
- The client responds with an
ACK, and the connection is established.
This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
A SYN flood attack works by not responding to the server with the expected
ACK code. The malicious client can either simply not send the expected
ACK, or by spoofing the source IP address in the
SYN, causing the server to send the
SYN-ACK to a falsified IP address – which will not send an
ACK because it "knows" that it never sent a
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing
ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.
There are a number of well-known countermeasures listed in RFC 4987 including:
- "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks" (PDF). Carnegie Mellon University Software Engineering Institute. Archived from the original on 2001-12-14. Retrieved 18 September 2019.
- New York's Panix Service Is Crippled by Hacker Attack, New York Times, September 14, 1996