SYN Flood Attack

In the normal course of a TCP connection, a SYN (TCP connection request) is sent to a target computer. When the target computer receives the SYN, it sends a SYN_RECEIVED message back to the machine that sent the SYN (reading the IP source address of the originating packet). The target computer then waits for the machine that originated the request to send back a SYN_ACK upon receipt of its SYN_RECEIVED message (this SYN-RECEIVED state is saved in a buffer either until the ACK is received or until the request has been waiting for a particular finite period of time and is then purged). When this "three-way" handshake is completed, data can travel freely between the two computers.

During a SYN Flood Attack, a SYN is sent to the target computer, however the source IP address is spoofed. The target computer attempts to send its SYN_RECEIVED message back to the originating IP address of the SYN, however, because the address is spoofed, this message will either be sent to an IP address that does not exist or to a computer that did not send the original SYN (and therefore will ignore this message). When this occurs, the target machine may send several more SYN_RECEIVED messages, and wait for a finite time for a SYN_ACK that will never come, storing this information in a buffer. The more of these spoofed packets that are sent to the target computer, the more system resources that are used on the target computer. Once the limit is reached for a given TCP port, the target computer responds by resetting all further connection requests until system resources are freed. The result of this attack is a Denial of Service.