Understanding a SYN flood

by Russ Rogers - 10/20/99

SYN flooding is a quick and dirty way to send a network machine into a frenzy. Although this attack is a little dated, the actual concept is a denial of network service to the target machine. But to understand a SYN flood, we need to understand a little bit of basic TCP communication.

Suppose you're sitting at your computer at home. You're attached to a cable modem on your local ISP and you decide to make a connection to a remote machine. You machine sends a SYN packet to a port on the remote machine, requesting a connection. The next step is a SYN/ACK packet from the target computer back to your machine that indicates the port is available and waiting for your further communication. At this point, in a normal connection, your machine would send back an ACK packet indicating that you're ready to send your traffic across.

In order to successfully use this attack, we need to send a FAKE IP address to the target along with our original SYN request. Not only does it need to be fake, it needs to be an IP address that is currently unreachable. If the IP belongs to another machine that is actually available on the network, that machine will reply with a RST (reset) packet telling the target computer that there was apparently a communication error and to reset it's port to listen mode.

What happens if the target machine sends that SYN/ACK to the fake IP address and doesn't receive a reply? At this point, the target port will have been dedicated to communicating with a computer at the fake IP address. If it does not receive the next ACK packet, it will have to wait for the timeout counter to expire before it can reset the port. This effectively eliminates that port from being used for network traffic until the timer expires.

Timeout counters vary in the amount of time they wait before resetting the port, but it used to be relatively easy to deny network service by sending packets to the target machine every couple of minutes. However, this attack is well documented now and can be blocked in intrustion detection systems, firewalls, and the client operating system on the target machine. What you're relying on here is the failure of the person owning the target machine to protect against this attack.

You can also reduce the timeout counter on most operating systems. Reducing the timeout period simply means that the target machine will not have to wait as long before it can reset the port. It won't eliminate the effects of the SYN flood.

We're not providing specific information on how to perform this attack. If you're a programmer, it shouldn't be too difficult to churn up the code that can reproduce this attack. There is also software out there that can do this for you, but the attack is fast becoming obsolete.