What is a SYN Attack? How Does the Attack Work?

One kind of denial-of-service (DDoS) attack that tries to render a server inoperable for genuine traffic is a SYN flood, also known as a half-open attack. The attack consumes all of the server's resources. An attacker can overload a targeted server machine's ports by sending initial connection request (SYN) packets frequently. This makes the targeted device reply to legitimate traffic slowly or not at all.

How Does a SYN Flood Attack Work?

SYN flood attacks operate by taking advantage of a TCP connection's handshake procedure. To establish a connection, a TCP connection typically goes through three different procedures.

  1. The server next sends back a SYN/ACK packet in response to the first packet to acknowledge the communication.
  2. To establish a connection, the client first sends a SYN packet to the server.
  3. The client then sends back an ACK packet to the server to confirm that it has received the packet.
  4. The TCP connection is ready to transmit data once this packet series sending & receiving finishes.

An attacker uses the knowledge that the server will respond with one or more SYN/ACK packets after receiving an initial SYN packet and wait for the handshake's last phase to cause denial-of-service. This is how it operates:

  1. The attacker bombards the targeted server with a large number of SYN packets, frequently using fictitious IP addresses.
  2. After answering each connection request, the server opens a port so that the response can be received.
  3. The attacker keeps sending more SYN packets as the server waits for the last ACK packet, which never shows up.
  4. The server keeps an open port connection for a certain amount of time upon the receipt of each new SYN packet.
  5. After every port has been used, the server can no longer operate normally.

In the realm of networking, a connection is deemed half-open if one server maintains it open while the computer on the other end does not. This kind of DDoS attack involves the targeted server leaving open connections all the while and waiting for each connection to time out before reopening the ports. As a result, this kind of attack qualifies as a “half-open attack”.

A SYN Flood Can Occur in 3 Different Ways:

  1. Direct attack: A direct assault is a SYN flood in which the IP address is not faked. The attacker in this assault does not use any masking of their IP address. The attacker is extremely susceptible to detection and mitigation because they created the attack utilizing a single source device with a legitimate IP address. The hacker stops the targeted computer from responding to the server's SYN-ACK packets to put it in a half-open state.
  2. Spoofed Attack: Additionally, a malicious user can fake the IP address on every SYN packet they transmit to thwart mitigation efforts and make their identity more elusive. Even though the packets might be faked, identifying where they came from might still be possible. While conducting this kind of investigative work is challenging, it is not impossible.
  3. Distributed attack (DDoS): There is no chance of tracing an attack back to its origin if it is made with a botnet. An attacker might additionally have each distributed device impersonate the IP addresses that it sends packets from to further obfuscate the system. The attacker usually won't bother to hide the IP address of the compromised device if they are utilizing a botnet, such as the Mirai botnet.

A malevolent actor can attempt to cause a denial-of-service in a target device or service with far less traffic than other DDoS attacks by employing a SYN flood attack. Unlike volumetric assaults, which seek to overwhelm the target's surrounding network infrastructure, SYN attacks just need to be bigger than the operating system of the target has an available backlog.