First page Back Continue Last page Summary Graphics
TCP SYN Flood
A TCP SYN flooding attack consumes your system resources until no more incoming TCP connections are possible. The attack makes use of the basic TCP 3-way handshaking protocol during connection establishment, in conjunction with IP source address spoofing.
The attacker spoofs his source address and initiates a connection to one of your TCP-based services. As a client attempting to open a TCP connection, he sends you a SYN message. Your machine responds by sending an acknowledgment, a SYN-ACK. However, in this case, the address you're replying to isnt the attackers address. The final stage of TCP connection establishment, receiving an ACK in response, will never happen. Consequently, finite network connection resources are consumed. The connection remains in a half-opened state until the connection attempt times out. The hacker floods your port with connection request after connection request, faster than the TCP timeouts release the resources. If this continues, all resources will be in use and no more incoming connection requests can be accepted. If the target is your smtp port, you cant receive email. If the target is your http port, people cant connect to your web site.