SYN Flood Attacks - AWS Best Practices for DDoS Resiliency

SYN Flood Attacks

When a user connects to a TCP service, like a web server, their client sends a SYN (synchronization) packet. The server returns a SYN-ACK packet in acknowledgement, and, finally, the client responds with an ACK packet, which completes the expected three-way handshake. Figure 4 illustrates this typical handshake.

Figure 4: SYN 3-way Handshake

In a SYN flood attack, a malicious client sends a large number of SYN packets, but never sends the final ACK packets to complete the handshakes. The server is left waiting for a response to the half-open TCP connections and eventually runs out of capacity to accept new TCP connections. This can prevent new users from connecting to the server. SYN floods can reach up to hundreds of Gbps, but the attack is not about SYN traffic volume but rather tying up available server connections resulting in no resources for legitimate connections.