Security Services

SYN Flood Attack

A SYN flood is a layer 4 DDoS attack method that exploits a server’s TCP connection capability. Typically, a client and server establish a TCP connection using a ‘three-way’ handshake:

  1. Client requests to connect to the server, and sends a SYN (synchronize) message
  2. Server acknowledges the SYN message and sends back a SYN-ACK (synchronize-acknowledge) message
  3. Client responds back with an ACK (acknowledge message), establishing the connection

During a SYN flood attack, an attacker’s client sends numerous SYN messages to the target server. The server creates an entry in its connection table for each SYN received and responds to each with a SYN-ACK message. The attacker then either doesn’t send the ACK message, or many times, has spoofed its client IP address in the SYN packets so that the target server’s SYN-ACK responses are never received. As the attacker continues to send SYN messages, the target server’s connection tables become full and the server can no longer respond to any more connection requests. With all of its resources consumed, the target server is unable to connect with legitimate clients, creating a denial of service.

Normal SYN-ACK Exchange

Normal SYN-ACK Exchange

SYN Flood

Normal SYN-ACK Exchange

Learn more about how Verisign mitigates these types of DDoS attacks