SYN Flood Attacks - AWS Best Practices for DDoS Resiliency

SYN Flood Attacks

When a user connects to a Transmission Control Protocol (TCP) service, such as a web server, their client sends a SYN synchronization packet. The server returns a SYN-ACK packet in acknowledgement, and finally the client responds with an acknowledgement (ACK) packet, which completes the expected three-way handshake. The following image illustrates this typical handshake.

SYN 3-way Handshake

In a SYN flood attack, a malicious client sends a large number of SYN packets, but never sends the final ACK packets to complete the handshakes. The server is left waiting for a response to the half-open TCP connections and eventually runs out of capacity to accept new TCP connections. This can prevent new users from connecting to the server. The attack is trying to tie up available server connections so that resources are not available for legitimate connections. While SYN floods can reach up to hundreds of Gbps, the purpose of the attack is not to increase SYN traffic volume.