ASYN flood is a form ofdenial-of-service attack ondata communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.[1][2]
Thepacket that the attacker sends is theSYN packet, a part ofTCP'sthree-way handshake used to establish a connection.[3]
When a client attempts to start aTCP connection to a server, theclient andserver exchange a series of messages which normally runs like this:
SYN (synchronize) message to the server.SYN-ACK back to the client.ACK, and the connection is established.This is called theTCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
A SYN flood attack works by not responding to the server with the expectedACK code. The malicious client can either simply not send the expectedACK, or byspoofing the sourceIP address in theSYN, cause the server to send theSYN-ACK to a falsified IP address – which will not send anACK because it "knows" that it never sent aSYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missingACK. However, in an attack, thehalf-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.
There are a number of well-known countermeasures listed in RFC 4987 including: