First page Back Continue Last page Summary Graphics



A TCP SYN flooding attack consumes your system resources until no more incoming TCP connections are possible. The attack makes use of the basic TCP 3-way handshaking protocol during connection establishment, in conjunction with IP source address spoofing.

The attacker spoofs his source address and initiates a connection to one of your TCP-based services. As a client attempting to open a TCP connection, he sends you a SYN message. Your machine responds by sending an acknowledgment, a SYN-ACK. However, in this case, the address you're replying to isn’t the attacker’s address. The final stage of TCP connection establishment, receiving an ACK in response, will never happen. Consequently, finite network connection resources are consumed. The connection remains in a half-opened state until the connection attempt times out. The hacker floods your port with connection request after connection request, faster than the TCP timeouts release the resources. If this continues, all resources will be in use and no more incoming connection requests can be accepted. If the target is your smtp port, you can’t receive email. If the target is your http port, people can’t connect to your web site.