A SYN Flood attack is a type of Distributed Denial of Service (DDoS) attack that targets the handshake process of the Transmission Control Protocol (TCP).
In a standard TCP handshake, a client initiates a connection by sending a SYN (synchronize) packet to the server. The server responds with a SYN-ACK (synchronize-acknowledge) packet, and the client completes the handshake with an ACK (acknowledge) packet. A SYN Flood attack disrupts this process by sending a flood of SYN packets to the server but never completing the handshake. The server, waiting for the final ACK packet, keeps the connection open, consuming its resources and connection slots.
What SYN Floods Look Like in Server Logs
1. High Volume of SYN Requests
A SYN Flood attack generates an excessive number of SYN packets, often from spoofed IP addresses, overwhelming the server.
Log Example (Firewall Logs):
[Nov 21 17:00:01] SRC=192.168.1.101 DST=10.0.0.1 PROTO=TCP SPT=12345 DPT=80 FLAGS=SYN
[Nov 21 17:00:02] SRC=192.168.1.102 DST=10.0.0.1 PROTO=TCP SPT=12346 DPT=80 FLAGS=SYN
[Nov 21 17:00:02] SRC=192.168.1.103 DST=10.0.0.1 PROTO=TCP SPT=12347 DPT=80 FLAGS=SYN
[Nov 21 17:00:03] SRC=192.168.1.104 DST=10.0.0.1 PROTO=TCP SPT=12348 DPT=80 FLAGS=SYN
Signs:
- Numerous SYN packets without corresponding ACKs from the client.
- High volume of connection attempts to a specific port, such as port 80 (HTTP) or 443 (HTTPS).
2. Incomplete Handshakes
The server may show many half-open connections waiting for the final ACK to complete the handshake.
Log Example (Connection Monitoring Tools):
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 10 0 10.0.0.1:80 192.168.1.101:12345 SYN_RECV
tcp 10 0 10.0.0.1:80 192.168.1.102:12346 SYN_RECV
tcp 10 0 10.0.0.1:80 192.168.1.103:12347 SYN_RECV
Signs:
- Large numbers of connections in the
SYN_RECVstate. - Server resource usage spikes, including CPU and memory, as it handles the half-open connections.
3. Spoofed IP Addresses
Attackers often use spoofed source IP addresses to hide their identity and make mitigation more challenging.
Log Example (Firewall Logs):
[Nov 21 17:01:01] SRC=10.0.0.1 DST=192.168.1.100 PROTO=TCP SPT=12345 DPT=80 FLAGS=SYN
[Nov 21 17:01:02] SRC=172.16.0.1 DST=192.168.1.100 PROTO=TCP SPT=12346 DPT=80 FLAGS=SYN
[Nov 21 17:01:03] SRC=192.0.2.1 DST=192.168.1.100 PROTO=TCP SPT=12347 DPT=80 FLAGS=SYN
Signs:
- Source IPs vary widely, often appearing to be random or from unreachable locations.
- Many IPs may not respond if you attempt to ping or trace them.
Mitigating Syn Flood Attacks with WAF and CDN Technologies
Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs) help mitigate SYN Flood attacks by filtering malicious traffic and protecting server resources. WAFs analyze incoming traffic to detect patterns associated with SYN Floods, such as repeated incomplete TCP handshakes or excessive SYN packets from the same source. They enforce rate-limiting rules to restrict connection attempts per IP, reducing the load from attackers. Modern WAFs also use machine learning to detect anomalies and block spoofed IP addresses, preventing malicious traffic from overwhelming the origin server.
WAF technologies offer:
- Traffic Filtering: Blocks malicious SYN packets by identifying unusual connection patterns and traffic behaviors. This prevents attack traffic from reaching the server and consuming resources.
- Rate Limiting: Caps the number of connection attempts allowed per IP or subnet in a set time frame. This reduces the impact of high-frequency connection floods.
- Anomaly Detection: Uses behavioral analysis and machine learning to identify irregular traffic patterns. It adapts to new attack methods to block emerging threats.
- Spoofed IP Blocking: Identifies and blocks SYN packets originating from forged or unresponsive IP addresses. This ensures the server only interacts with valid sources.
CDNs complement WAFs by distributing traffic across their global network, ensuring that no single server is overloaded. CDNs absorb large volumes of SYN packets and can complete the TCP handshake process on behalf of the origin server, preventing half-open connections from consuming server resources. Together, WAFs and CDNs provide layered protection, combining traffic filtering and load distribution to effectively mitigate SYN Flood attacks and maintain service availability.
CDN technologies offer:
- Traffic Distribution: Spreads incoming traffic across multiple servers in the CDN’s network. This prevents localized server overloads and balances the load effectively.
- Edge Filtering: Blocks malicious SYN packets at the network edge, stopping them before they reach the origin server. This reduces the server’s processing burden.
- Connection Absorption: Handles large numbers of incoming SYN packets, mitigating the volume of attack traffic. This ensures server availability for legitimate users.
- TCP Proxying: Completes the TCP handshake process on behalf of the origin server, eliminating half-open connections. This preserves server resources for valid traffic.