In a SYN Flood, a victim server, firewall or other perimeter defense receives (often spoofed and most often from a botnet) SYN packets at very high packet rates that can overwhelm the victim by consuming its resources to process these incoming packets. In most cases if a server is protected by a firewall, the firewall will become a victim of the SYN flood itself and begin to flush its state-table, knocking all good connections offline or even worse - reboot. Some firewalls in order to remain up and running, will begin to indiscriminately drop all good and bad traffic to the destination server being flooded. Some firewalls perform an Early Random Drop process blocking both good and bad traffic. SYN floods are often used to potentially consume all network bandwidth and negatively impact routers, firewalls, IPS/IDS, SLB, WAF as well as the victim servers.
A SYN-flood DDoS attack (see the accompanying figure) takes advantage of the TCP (Transmission Control Protocol) three-way handshake process by flooding multiple TCP ports on the target system with SYN (synchronize) messages to initiate a connection between the source system and the target system.
The target system responds with a SYN-ACK (synchronize-acknowledgement) message for each SYN message it receives and temporarily opens a communications port for each attempted connection while it waits for a final ACK (acknowledgement) message from the source in response to each of the SYN-ACK messages. The attacking source never sends the final ACK messages and therefore the connection is never completed. The temporary connection will eventually time out and be closed, but not before the target system is overwhelmed with incomplete connections.
The SmartWall is capable of mitigating SYN FLOOD attacks all while maintaining full connectivity to avoid disrupting the delivery of legitimate traffic. It is designed to automatically handle floods in real-time.