What are SYN floods? What they can do to your business and how do you stop them?

It’s often said that nice guys finish last. But if you thought this was a problem limited to human beings, think again. Even technology is susceptible. More specifically, even your technology is susceptible.


When an attacker takes advantage of the welcoming nature of the internet, it leads to a DDoS attack type called a SYN flood, which can lead to all of the damage associated with DDoS attacks: a loss of revenue, loss of consumer trust, damage to hardware and software, and theft of financial data, consumer information, or intellectual property.

Know the protocol

A Distributed Denial of Service (DDoS) attack seeks to deny service of a website, network, server or another internet resource to its legitimate users. This is accomplished by interrupting or suspending the services of an internet-connected host.

These types of attacks can be generally divided into three categories: volume-based attacks, which saturate the bandwidth of the attacked site, application layer attacks, which crash web servers by over-exercising site functions or features with seemingly legitimate requests, and protocol attacks, which are designed to consume actual server resources or resources of intermediate communication equipment like load balancers or firewalls. Protocol attacks do so by exploiting weaknesses in internet protocols. SYN floods fall into this category.

A handshake disagreement

As per the definition laid out by DDoS mitigation firm Incapsula, a SYN flood exploits a known weakness in the TCP three-way handshake protocol in order to consume a server’s resources and leave it unresponsive to legitimate requests.

The TCP three-way handshake, when working properly, works like this: in order to create a connection between a client and a server, the client requests a connection to the server by sending a synchronize message (SYN) to the server. The server then acknowledges this request by sending a synchronize-acknowledge message (SYN-ACK) back to the client. In the third part of the handshake, the client sends back an acknowledge message (ACK). With these three steps, the connection is established.

An attacker can exploit this process with a SYN flood by repeatedly sending SYN requests (otherwise known as packets) to the victim server. When the server sends back the SYN-ACK messages, the attacker either doesn’t respond, or the SYN-ACK messages can’t actually go anywhere because the requests were sent from a spoofed IP in the first place. Either way, the server is stuck waiting for responses it isn’t going to get, and with all of these connections half-open, server resources are tied up and unable to respond to legitimate requests.

The threat posed by SYN floods

All types of DDoS attacks are bad news, but if SYN floods rank higher on the threat meter, it’s because they’re so common. According to Incapsula, attacks involving SYN floods account for over 50% of all DDoS attacks.

Furthermore, SYN floods can either involve regular SYN packets, or large SYN packets, so there are actually two types of SYN floods. And with most DDoS attacks now being multi-vector, or using more than one attack method, guess what accounts for the most common multi-vector attack method? That’s right – a combination of regular SYN flood and large SYN flood. This combination accounts for over 75% of all multi-vector DDoS attacks.


SYN floods (Large + Normal) are 50% of all Network layer DDoS attacks (source: Incapsula 2013-2014 DDoS trends report)

Damming your servers

Businesses are living in an increasingly online world, and that means websites need to be available at all times. This is especially true in industries like online gaming and finance, but every business-related website out there will be hurt to some degree by a DDoS outage. Whether it’s as immediately devastating as financial data theft or as quietly damaging as customers deciding to go elsewhere, a SYN flood carries consequences.

The good news is that SYN floods can absolutely be prevented with professional DDoS mitigation. With SYN floods accounting for over 50% of all DDoS attacks and over 75% of all multi-vector DDoS attacks, have no doubt about it, professional DDoS mitigation is aware of the SYN flood problem and knows how to fix it.

One of the most common strategies professional DDoS mitigation will employ to prevent SYN floods are SYN cookies. In this strategy, the server will be configured to reply to all SYN requests with a SYN-ACK message that includes a hash constructed from the client’s IP address, timestamp and other specific identifying information. Unless the client is able to respond with an ACK message that includes this sequence number, there will be no memory allocated from the server for the connection and therefore no half-open ports.

Other SYN flood mitigation strategies include allocating small amounts of server memory for SYN requests, replying to all first-ever SYN requests with an intentionally invalid SYN-ACK message, and reducing the time period for which memory is allocated to potential connections.

No DIY for SYN

Protecting against SYN floods isn’t easy because your server’s ability to make connections is what keeps your website running smoothly for legitimate users, so that isn’t something you really want to mess with. That, combined with the fact that DDoS attack traffic can often be measured in tens or even hundreds of Gigabits, is what makes professional DDoS protection a necessity.

With professional DDoS mitigation, your servers can become secure, and your website will be better for it.

Leave a Reply