A SYN flood is a denial-of-service (DoS) attack that relies on abusing the standard way that a TCP connection is established. Typically, a client sends a SYN packet to an open port on a server asking for a TCP connection. The server then acknowledges the connection by sending SYN-ACK packet back to the client and populating the client’s information in its Transmission Control Block (TCB) table. The client then responds to the server with an ACK packet establishing the connection. This process is commonly known as a “three-way handshake”.
A SYN flood overwhelms a target machine by sending thousands of connection requests to it using spoofed IP addresses. This causes the target machine to attempt to open a connection for each malicious request and subsequently wait for an ACK packet that never arrives. A server under a SYN flood attack will continue to wait for a SYN-ACK packet for each connection request, as the delay could be normal and related to network congestion. However, because a SYN-ACK packet never arrives for any of the connection requests; the massive number of half-open connections quickly fills up the server’s TCB table before it can time any connections out. This process continues for as long as the flood attack continues.
Attackers will sometimes add legitimate information to their requests as well, such as sequence number or source port 0, as this increases a target server’s CPU usage on top of causing network congestion, and could more effectively cause a denial-of-service condition.