SYN Flood Explained: TCP Handshake & DDoS Mitigation

Concept and Entity Tracking

• SYN Flood (Half-Open Attack): A denial-of-service attack that sends a high volume of connection requests to exhaust server resources.
• TCP Three-Way Handshake: The standard three-step process (SYN, SYN-ACK, ACK) used to establish a network connection.
• SYN Packet: The initial "synchronize" message a client sends to a server to start a connection.
• ACK Packet: An "acknowledgment" message used to finalize the connection setup.
• Half-Open Connection: A state where a server has responded to a request but is waiting for the client to finalize the handshake.
• State-Exhaustion Attack: A malicious attempt to fill the connection tables of infrastructure like firewalls and load balancers.
• SYN Cookie: A defense mechanism where the server provides a "cookie" in the response to avoid storing the connection state immediately.
• Botnet: A network of compromised devices used to launch large-scale distributed attacks.
• Backlog Queue: The memory space an operating system reserves for pending network connections.

A SYN flood is a type of DDoS attack that makes a server unavailable by overwhelming it with "half-open" connections. It exploits the way computers talk to each other to block legitimate users from accessing a website or service. For marketers and SEO practitioners, a successful attack means lost traffic, dropped search rankings, and zero conversions while the site is offline.

What is a SYN Flood?

A SYN flood (also called a half-open attack) is a network-tier attack that bombards a server with initial connection requests. In a normal setup, a server can handle thousands of these. In an attack, the server is forced to wait for responses that never arrive, eventually running out of ports and memory.

While these attacks are old, they remain a primary threat. [SYN floods are one of the most common volumetric DoS attacks annually] (F5 Labs).

Why SYN Floods matter

When a server is under a SYN flood attack, it responds sluggishly or stops working entirely. This impacts your business beyond just technical downtime:

• Lost Revenue: eCommerce sites cannot process transactions when users cannot connect.
• SEO Damage: Frequent or prolonged downtime can lead search engines to de-index pages or lower rankings.
• Reputation Loss: Users lose trust in a brand if the website is frequently inaccessible or slow.
• Security Smokescreen: Attackers often use these floods to distract security teams while they plant malware or steal data elsewhere.
• Infrastructure Stress: Even high-capacity devices capable of maintaining millions of connections can be taken down by these state-exhaustion attacks.

How a SYN Flood works

To understand the attack, you must understand the "Three-Way Handshake" used by the Transmission Control Protocol (TCP):

1. SYN: The client sends a "Synchronize" packet to the server.
2. SYN-ACK: The server acknowledges the request and sends a "Synchronize-Acknowledgment" back.
3. ACK: The client sends an "Acknowledgment" packet to finalize the connection.

In a SYN flood, the attacker sends the first packet (SYN) but never sends the final packet (ACK).

The server leaves a port open and waits for the client. Because the server only has a limited number of "slots" for these pending connections, the attacker can fill every available slot by sending thousands of SYN packets. This leaves no room for real customers to connect.

Types of SYN Floods

Attacks vary based on how the attacker masks their identity and the volume of traffic they use.

Direct Attack

The attacker uses their own IP address to send the packets. This is rare because it is easy to block the specific IP address. To stay "half-open," the attacker simple tells their own firewall to block the incoming SYN-ACK from the server.

Spoofed Attack

The attacker fakes (spoofs) the IP address on every packet. The server sends its SYN-ACK to a fake address that will never respond. This makes it much harder for security teams to trace the source. [Detailed advisories on IP spoofing and SYN flooding date back to 1996] (CERT Advisory CA-1996-21).

Distributed Attack (DDoS)

The attacker uses a botnet, such as the Mirai botnet, to send traffic from thousands of different devices simultaneously. This makes mitigation difficult because the "bad" traffic is coming from everywhere at once.

Best practices for mitigation

You can defend against SYN floods by changing how your server handles incoming requests.

• Enable SYN Cookies: This is the most common defense. The server sends a SYN-ACK but does not save the connection state in memory. It only opens the connection if the client sends back a valid ACK. [Modern operating systems now implement SYN cookies by default] (AWS Best Practices).
• Increase the Backlog Queue: You can give the server more "memory" to hold pending connections. However, if the attack is large enough, the server will still run out of resources or slow down.
• Recycle Old Connections: Set the server to overwrite the oldest half-open connection once the queue is full. This works if the attack is small, but fails if the volume is too high.
• Use a Cloud-Based Proxy: Services like Cloudflare sit between your server and the internet. They handle the handshake in the cloud and only pass legitimate, fully-established connections to your server.

Common mistakes

Mistake: Assuming that "unlimited" bandwidth protects you.
Fix: SYN floods are state-exhaustion attacks, not just bandwidth attacks. They target the OS's ability to track connections, not its speed.

Mistake: Relying solely on a standard firewall.
Fix: Standard firewalls can actually be the first thing to fail during a SYN flood because their "connection tables" fill up and crash before the server does.

Mistake: Ignoring small spikes in "half-open" connections.
Fix: Monitor your server metrics for high numbers of SYN_RECV states, which are a symptom of a pending attack.

Examples

• Example scenario (eCommerce): During a Black Friday sale, an attacker launches a distributed SYN flood. Real customers get "connection timed out" errors. Even though the server hardware is powerful, it cannot accept new customers because every "slot" is taken by a botnet.
• Example scenario (Historical): One of the first major public examples occurred when [the ISP Panix was crippled for days in September 1996] (New York Times) by a hacker using this method.

FAQ

What is the difference between a SYN flood and a "normal" DDoS?

A normal volumetric DDoS tries to clog your "pipes" with too much data. A SYN flood is a state-exhaustion attack that tries to fill the "ledger" where the server records active conversations. It requires less traffic to be effective.

How do I know if I'm under a SYN flood attack?

You will see a massive spike in connections in the "SYN_RECV" status. Legitimate users will report that the site is down or "hanging" at the start of a page load.

Do SYN cookies slow down my website?

While SYN cookies involve a small amount of extra CPU work to calculate the "cookie," the impact is negligible compared to the risk of a total server crash.

Can a firewall stop a SYN flood?

Some firewalls can, but others are vulnerable to the same state-exhaustion as servers. For best results, use a firewall or proxy specifically designed for DDoS mitigation that handles handshakes on your behalf.

What is RFC 4987?

[RFC 4987 is the official technical document describing SYN flooding] (Wikipedia/IETF). It outlines the history of the attack and the standard ways to defend against it.