A SYN flood, also known as a TCP SYN flood, is a type of denial-of-service (DoS) or distributed denial-of-service (DDoS) attack that sends massive numbers of SYN requests to a server to overwhelm it with open connections.
A SYN flood, sometimes known as a half-open attack, is a network-tier attack that bombards a server with connection requests without responding to the corresponding acknowledgements. The large numbers of open TCP connections that result consume the server’s resources to essentially crowd out legitimate traffic, making it impossible to open new legitimate connections and difficult or impossible for the server to function correctly for authorized users who are already connected.
Virtually any organization with a public-facing website is vulnerable to this type of attack. If a SYN flood is not rapidly detected and addressed, it can rapidly overwhelm a server to dramatically slow server responses and prevent any other connections. This effectively takes the server offline so that legitimate users are denied service, losing access to applications and data or preventing e-commerce. The results can include a loss of business continuity, disruption of critical infrastructure, lost sales, or a damaged reputation. For some organizations, such as those in the healthcare industry, the damage of lost access to data can be life-threatening.
F5 Labs research suggests that SYN floods are one of the most common types of volumetric DoS attacks each year. They may be used in combination with or as a smokescreen for other types of attacks, including ransomware attacks or efforts to steal data or plant malware.
Every client-server conversation begins with a standardized three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established. In a SYN flood attack, the client sends overwhelming numbers of SYN requests and intentionally never responds to the server’s SYN-ACK messages.
This leaves the server with open connections awaiting further communication from the client. Each is tracked in the server’s TCP connection table, eventually filling the table and blocking any more connection attempts from any source. Loss of business continuity and data access result.
SYN floods are frequently performed by bots connecting from spoofed IP addresses to make attack it harder to identify and mitigate the attack. Botnets can launch SYN floods as distributed denial-of-service (DDoS) attacks.
F5 DDoS protection solutions help make sure attacks against the network won’t cripple—or worse, shut down—your server and app tiers, turning away your customers. Our solutions can recognize that a SYN flood attack may be occurring and take defensive measures for mitigation to protect the connection table while allowing legitimate connections access to the protected network. With this type of defense, the attacker's SYN requests get responses, so they think the attack is working, but the connection table never reaches capacity because only valid connection requests retain slots in the connection table.