Tievolu Tievolu TievoluA TCP SYN Flood attack (also known as a "half-open attack") is a form of Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack. The goal of the attack is to make a server unreachable for legitimate requests by deliberately overloading its resources. The attacker sends a large number of SYN packets, which are used to initiate a TCP connection. The server then reserves resources for each incoming connection request and waits for the final acknowledgment from the client. Since this acknowledgment never arrives, many connections remain "half-open". This gradually exhausts the available ports and system resources of the server, so that legitimate users can only access the service with delays or not at all.
TCP SYN Flood attacks specifically exploit the connection establishment of a TCP connection. Under normal conditions, this establishment occurs via the so-called three-way handshake, which consists of three consecutive steps to establish a stable connection between client and server.
For a Denial-of-Service attack, an attacker exploits the fact that the server reserves resources after receiving a SYN packet, sends back a SYN/ACK packet, and then waits for the final acknowledgment from the client. This behavior is exactly what the attacker takes advantage of. The process works as follows:
When a server on the network considers a connection open, but the communication partner does not complete a full connection, this is called a half-open connection. In this form of DDoS attack, the target server keeps many such incomplete connections open and waits for a timeout before releasing the occupied resources and ports. Since new half-open connections continuously accumulate, this attack technique is also called a "half-open attack".
When an attack is carried out via a botnet, tracing back to the actual attacker is significantly more difficult, as the traffic is distributed across many compromised devices. Attackers can also manipulate or conceal the IP addresses of the sending devices to make it harder to identify the actual origin of the packets. If a botnet like the Mirai botnet is used, classic IP concealment of the attacker is often no longer necessary, as the communication already occurs via numerous infected devices that are themselves part of the attack.
A TCP SYN Flood attack without IP spoofing is called a direct attack. In this case, the attacker uses their real IP address and does not conceal it at all. Since the attack originates from a single source system, it is comparatively easy to detect and block. To create the half-open connection state on the target system, the attacker ensures that their computer does not respond to the server's SYN/ACK replies. This can be achieved, for example, through firewall rules that suppress outgoing responses or specifically discard incoming SYN/ACK packets. In practice, however, this method is rarely used, as it is relatively easy to defend against – for example by blocking the single attacking IP address. If a botnet like the Mirai botnet is used instead, the need for IP concealment of the actual attacker is eliminated, as the attack is already distributed across many compromised devices.
An attacker can additionally forge the IP address in the sent SYN packets (IP spoofing) to make defense measures more difficult and conceal their identity. Even if the packets contain manipulated sender addresses, tracing back to the actual source is still possible under certain circumstances. While this process is complex and challenging, it is not fundamentally impossible – especially when Internet Service Providers (ISPs) cooperate in analyzing and tracing network paths.
A TCP SYN Flood attack allows an attacker to create a Denial-of-Service on a target system or service with comparatively low data volume. Unlike volumetric DDoS attacks, which primarily overload network infrastructure with large amounts of data, this attack focuses on the resources of the operating system itself. It is sufficient if the number of half-open connections exceeds the capacity of the target system's so-called backlog. If the attacker can also estimate the size of this backlog and the timeout duration of open connections, the necessary parameters can be precisely determined to deliberately overload the system. This allows a Denial-of-Service to be achieved with minimal network traffic.
To protect against TCP SYN Flood DDoS attacks, there are several options:
This strategy involves the server using so-called cookies. To prevent the backlog from overflowing with SYN requests and causing legitimate connections to be rejected, the server initially responds to each connection request with a SYN/ACK packet but does not permanently store the request in the backlog. Instead, the associated information is temporarily discarded, keeping resources free and ports available for new connections. Only when a valid final ACK packet is received from the client is the connection confirmed as legitimate and the associated state in the backlog – with certain limitations – restored. Even if some connection information is not fully preserved, this trade-off is accepted because it prevents legitimate users from being affected by a Denial-of-Service during an attack.
Every operating system on a target system limits the number of simultaneously possible half-open connections. One possible response to high volumes of incoming SYN requests is to increase this limit, allowing more simultaneous connection requests. However, increasing the backlog requires additional system resources, particularly memory, for managing the open connections. If these resources are insufficient, this may impair system performance, but in many cases is still preferable to a complete service outage caused by a Denial-of-Service attack.
Another defense strategy is to discard the oldest half-open connection when the backlog is full and replace it with a new one. This method assumes that legitimate connections can be fully established faster than the backlog is filled by malicious SYN requests. Otherwise, the system continues to lose resources to uncompleted connections. The strategy is only partially effective and may fail if the attack volume is too high or the backlog is too small overall.
Rate limiting is a method that allows a server to limit the number of incoming SYN requests per IP address. This prevents an attacker from sending too many SYN requests and overflowing the backlog. Rate limiting is often used in routers or firewalls to prevent DDoS attacks. The rate limiting protection checks each incoming SYN packet and compares it with a predefined pattern. If the packet does not match the pattern, it is discarded. This prevents an attacker from carrying out a Denial-of-Service attack.
Tievolu protects against TCP SYN Flood attacks with the in-house developed DDoS Protection "Tievolu PYRUS". All TCP traffic is continuously monitored and automatically filtered when necessary. An integrated AI and ML-based system detects unusual patterns and anomalies and responds within seconds with appropriate countermeasures. Various parameters are taken into account to ensure the most precise and effective defense possible. When a TCP SYN Flood attack is identified, the DDoS Protection recognizes the characteristic attack pattern and automatically creates filter rules that are implemented in the corresponding filter appliances. This allows known attack sources to be automatically detected and blocked without requiring manual intervention.
Alternatively, customers can activate an additional layer of protection against TCP SYN Flood attacks through our Cloud Firewall. In the Cloud Firewall, specific TCP filter rules can be configured that specifically capture only SYN packets. These rules can also be combined with various rate-limiting mechanisms to limit the number of incoming requests. Additionally, filters can be extended with ASN or geographic blocks (geo-blocking) to reduce suspicious or unwanted traffic at an early stage.
Contact our expert Collin Schneeweiß today to protect your network from DDoS attacks and get your personal offer.
Contact us LinkedIn