OMG! That was SYN Attack: How it is done and what you need to know?


Dodge the traffic!

Yeah. I am serious. Well. TCP SYN Flood attacks are quite widely known among the DDOS attacks. Let’s just dig deeper into their intricate nature and find a solution.

You see it has been more than a time of two decades since the University of Minnesota was subjected to the first DDOS attack which halted the normal working for two days. Then started a series of events which included the notable one done against Github involving a 1.35 TBps attack against the website.

That’s how SYN attacks work!

One of the gravest consequences of these DOS attacks is that it threatens the websites and servers via flooding of the targeted servers with fake traffic. This doesn’t allow legitimate traffic to access it. TCP SYN attacks at the core are attacks that aim at targeting the hosts running TCP processes and manipulates the usual TCP three-way handshake process.

Normally, in a TCP process, the communication between the server and client starts after a virtual connection has been established. The connection is initiated from the client’s end after SYN requests are sent to the server. Then the server sends SYN/ACK as a response. This SYN/ACK is an acknowledgment that the SYN request sent by the client has been received. Afterward, the client sends an ACK packet which initiates the connection for communication.

When a DDOS attack occurs, malicious actors bluff the client using several random IP addresses to send a barrage of SYN requests to the targeted server. Now the server is not intelligent enough to discern hence it assumes that these requests are legitimate and this responds with SYN/ACK. HOWEVER, the server never gets a final ACK back. What does that mean for us? Oh dear, it means that the server’s resources are tied up to half-open TCP sessions thus declining the legitimate connection requests.

Problem? Yeah. Please allow me to present some solutions.

Firstly, SYN cookies can be a great help as it helps to eliminate the state table for all the half-open connections. It utilizes the cryptographic hashing whereby the server crafts ISN (Initial Sequence Number) alongside the initial SYN-ACK flood sent to the client. Port numbers, Destination IP, Source IP, and a secret number are used to calculate this ISN. Now when the server gets an ACK from the client, the server checks it to determine its validity or legitimacy by matching the incremented ISN. After this check is complete, then memory is allocated for the connection.

Secondly, increasing the limit of the backlog can also be an effective intervention. It is because each operating system assigns a limited memory to half-open connections which causes the legitimate connections to drop. Once the limit is stretched, it will allow legitimate connections to be retained.

Lastly, utilizing firewall filters can prevent SYN attacks by detecting them timely. For instance, changing the threshold of the source can be before the firewall drops these connections from a particular source.

Happy surfing!


Please enter your comment!
Please enter your name here