Overview of SYN Flood Attack
The SYN flood is also known as the TCP SYN flood since it employs the TCP three-way handshake methodology. In this attack, attackers can target any system linked to the internet that provides TCP services, such as email servers, file transfers, etc., by sending repeated SYN requests from a random IP address to the server. It is a form of DDoS attack in which your system is infiltrated, rendering it inaccessible for new legitimate connections and authorized customers by continually sending SYN packets.
How Does an SYN Flood
Attack Work?
SYN flood attacks take advantage of the TCP connection's
handshake phase.
When a client and server form a connection, a regular TCP
connection is established via the three-way handshake.
- The client starts a
connection with the server by sending an SYN packet.
- The server responds by
sending an SYN/ACK packet and creating a data structure for the connection
in the SYN backlog known as a Transmission Control Block (TCB).
- The client replies with an ACK packet to the SYN/ACK packet, completes the handshake, and establishes the connection.
An SYN flood is often known as a half-open attack, and in this,
the attacker exploits the Transmission Control Protocol's three-way handshake.
- The attacker repeatedly
sends SYN packets to the targeted server, frequently using spoofed IP
addresses.
- As the server is unaware of
the attack, it answers each connection request with an SYN-ACK packet and
leaves an open port waiting for the response.
- The attacker continues to
transmit SYN packets while the server waits for the last ACK packet, which
never arrives.
- Because the connection
remains open, another SYN packet from the attacker arrives before the
timeout can occur.
- At a certain point, communication with legitimate traffic becomes difficult or impossible when the server becomes overloaded by the attacker's requests.
How Does an SYN Flood Attack Happen?
An SYN flood attack can occur in three ways.
- Direct SYN Flood Attack: In this method, the attacker starts the SYN flood attack using their IP address.
- SYN Spoofed Attack: An attacker uses a fake IP address to transmit each SYN packet to the server. Spoofing makes it tough to figure out who they are and how to track down the packets.
- DDoS SYN Flood Attack: A Distributed Denial of Service SYN flood attack is launched when a server receives SYN packets from multiple compromised computers under the attacker's control.
How to Mitigate SYN Flood Attack?
There
are following methods can be used to mitigate SYN flood attacks:
●
Intrusions
Detection System (IDS)
●
Expanding
backlog queue
● Firewall
filtering
● RST
cookies
●
SYN
cookies
● Recycled half-open connections
How can InfosecTrain help you?
We get to see various cyberattacks on networks in daily life. InfosecTrain offers a range of cybersecurity certification training courses that cover all essential knowledge for preventing the emerging cyber-attacks. You can enroll in our network security training course to learn how to detect SYN flood attacks and practices to protect against such threats.
