What is a SYN Flood Attack?

Introduction

SYN flood attacks were discovered nearly 30 years ago and continue to wreak havoc. One of the most infamous botnets of the last decade, Mirai, uses SYN flooding among its techniques to inflict damage including crashing servers, crippling networks, blocking legitimate user access, and causing data loss. Because SYN flood attacks remain a popular “go to” technique for threat actors, it’s important to understand how they work.

In this blog, we’ll dig into the different ways a SYN flood attack can occur, and the impact this type of DDoS attack can have on organizations. We’ll also offer guidance on how to detect and protect against this cyber threat.

SYN Flood Attacks 

A SYN flood attack is a type of denial-of-service attack that takes advantage of a vulnerability in the Transmission Control Protocol (TCP) used by devices to exchange data. The attack targets a server with the aim of taking it offline by flooding it with requests to connect to its resources and then leaving the connections open. The volume of requests continues to mount, eventually overwhelming all available ports on the targeted server and preventing it from providing service to legitimate users. Even powerful servers capable of maintaining tens of millions of connections have been taken offline.  

How Does a SYN Flood Attack Work? 

A SYN flood attack works by exploiting the TCP three-way handshake at Layer 4 of the OSI model. This is the connection process that happens behind the scenes when you connect to the internet and attempt to exchange data with another device or service. Under normal circumstances, a TCP connection is established and communication is enabled by exchanging packets, following a three-step process:

1. The client sends a SYN (synchronize) packet to the server to request to open a connection.
2. The server responds with a SYN/ACK packet to acknowledge the request by the client which creates a half-open connection.
3. The client acknowledges the SYN/ACK by sending an ACK packet to the server to complete the connection. At this point, the connection is opened for a certain period of time so that data can be exchanged.

In a SYN flood attack, the threat actor disrupts the process by continually repeating Step 1 to send a massive volume of SYN packets to the targeted server. The server continues to respond, as in Step 2. Meanwhile, Step 3 never happens because the attacker never responds to the server to fully establish a connection. This leaves connections half-opened, ties up ports, and makes the server unavailable to respond to new, legitimate connection requests. Once all ports are tied up in a state of limbo, the server is unable to function which results in denial-of-service.

Different Ways SYN Flood Attacks Can Occur

There are three primary types of SYN flood attacks:

1. A direct attack is the simplest form of a SYN flood attack. The attacker uses a single device with a real IP address to launch the attack. They prevent their machine from responding to SYN/ACK packets by filtering out those incoming packets or using a firewall to block outgoing ACK packets. Direct attacks are rarely used because it is easy to trace where the attack is coming from and block that IP address.
2. In a spoofed attack, the threat actor spoofs (or masks) the source IP address on each SYN packet sent. Impersonating another machine’s address makes it extremely difficult to track down the source of the attack and mitigate.
3. In a distributed attack (DDoS) the threat actor works through a botnet to send multiple SYN requests from multiple different machines that have been hijacked for malicious purposes. Each machine in the botnet may also spoof its own IP address which adds to the obfuscation. However, if the attacker is using a large botnet, such as the Mirai botnet, they generally don’t care about spoofing addresses and being traced. The distributed nature of the attack, (i.e., using multiple sources), is enough to make these types of SNY flood attacks more challenging to defend against.

Detecting SYN Flood Attacks

Many DDoS attacks take the tact of overwhelming a server with a massive flood of traffic on an ongoing basis. A spike in consumption of bandwidth is a key indicator of these types of attack. In contrast, SYN flood attacks can occur in short bursts, sending just enough SYN requests before connections time out to consume the maximum number of half-open connections allowed. When the attacker understands those parameters – the time-out rate and the half-open connections allowed – they can reduce the amount of traffic to the minimum necessary and operate under the radar to create a denial of service.

This approach makes SYN flood attacks more difficult to detect. Security teams have to monitor closely for additional indicators of anomalous activity, including:

• an usually high number of SYN requests in the queue
• escalation of open connections
• the ratio of incoming SYN requests to ACK responses
• degraded network performance

Effects of a SYN Flood DDoS Attack

SYN flood DDoS attacks affect networks in the following ways:

• Service disruption. Legitimate users find it difficult, if not impossible, to access applications, data, and ecommerce sites.
• Resource strain. The server’s memory and processing power are consumed by a flood of bogus requests.
• Network congestion. Overall performance and responsiveness of the network suffers due to the volume of SYN packets.
• Increased latency. Legitimate users trying to gain access to services may experience slow response time.
• System failures. The server may crash and become entirely unavailable.

On the business side the impact can be:

• Increased operational costs. Mitigation and dealing with the aftermath of an attack can require significant resources.
• Reputational damage. Slow response times and service outages can cause users and customers to lose trust in the service.
• Lost revenue. Service outages can cause organizations to lose sales in the short term, and in the long run can lead to customer churn.
• Follow-on attacks. Threat actors can use a SYN flood attack as a way to disguise their real intentions. While the security team is distracted by addressing the denial of service, the threat actor shifts their focus to compromise other systems for other types of attacks such as data breaches and ransomware.

Mitigating and Preventing SYN Flood Attacks

There are several best practices and tools security teams can use to mitigate and prevent SYN flood attacks, including:

• Use filtering to setup rules in tools such as load balancers, firewalls, and intrusion prevention systems, to detect and block malicious SYN requests from reaching the target based on specific patterns or known malicious IP addresses.
• Implement rate limiting by setting a threshold of the number of SYN requests that can be sent to the server at any one time.
• Increase the backlog queue to increase the number of allowable half-open connections and create a buffer.
• Reduce the time-out period which would reduce the impact of a SYN flood attack by limiting its ability to drain resources.
• Use a cache to store a smaller amount of information on each SYN request to conserve resources.
• Use cookies so that server resources aren’t allocated until the ACK response is received, which conserves resources for legitimate requests.
• Recycle the oldest half-open connections so that when the backlog of connection requests is full the oldest half-open TCP requests are recycled.
• Use a reverse proxy, a server that intercepts the request and drops connections that show signs of a SYN flood attack.
• Use a DDoS protection solution that protects against the gamut of DDoS attacks while maintaining access to services for legitimate users, and can also protect against follow-on attacks.

Final Thoughts

Although they were discovered decades ago, SNY flood attacks continue to disrupt services and have been adopted by one of the most notorious botnets of all times – Mirai. These attacks can be difficult to detect and mitigate because instead of flooding networks with a massive amount of traffic that generates an immediate and crippling spike in bandwidth, they take a more subtle approach. By flooding ports with connection requests and keeping them open, they drain server resources and eventually lead to denial of service.

Despite the more subtle attack approach, the impact of a SYN flood is far from subtle and includes service disruption, resource strain, network congestion, increased latency, and system failures. Businesses that experience a SYN flood attack can face increased operational costs, reputational damage, and, ultimately, revenue loss.

There are several best practices and technologies to mitigate and prevent SYN flood attacks, including filtering, rate limiting, increasing the backlog queue, reducing the time-out period, using a cache and/or cookies to conserve server resources, recycling the oldest half-open connections, and using a reverse proxy.

However, because threat actors frequently use botnets to launch DDoS attacks, sometimes with the intent of distracting security teams in order to launch other types of attacks, organizations should also consider implementing advanced DDoS protection. DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a SYN flood DDoS attack. Comprehensive DDoS protection can also defend against follow-on threats including data leakage, ransomware attacks, and other malicious activity that can harm your business. Visit our threat intelligence research center for more information on DDoS defense in depth.