中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeInformation, Computer and Network SecuritySecurity Vulnerabilities

TCP "SYN" Attack

TCP "SYN" Attack is also known as SYN Flooding. It takes advantage of a flaw in how most hosts implement the TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds. Many implementations can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used as a tool to implement other attacks, like IP Spoofing.

TCP SYN attack is one of the main attacks causing network based Denial of Service (DOS) or Distributed Denial of Service (DDOS).

TCP "SYN" Attack Mitigation

The TCP Syn Attack can be effectively reduced (if not completely solved) by deploying Firewalls at critical locations of a network to filter un-wanted traffic and from iffy sources.

For internal network devices, it is easy to prevent SYN attacks using firewalls since you can use access lists to explicitly limit inbound access to a select few IP addresses. In the case of a public web server or mail server facing the Internet, there is no way to determine which incoming IP source addresses are friendly and which are unfriendly. Therefore, there is no clear cut defense against an attack from a random IP address. Several options are available to hosts:

  • Increase the size of the connection queue (SYN ACK queue).
  • Decrease the time-out waiting for the three-way handshake.
  • Employ vendor software patches to detect and circumvent the problem (if available).

You should contact your host vendor to see if they have created specific patches to address the TCP SYN ACK attack.

TCP SYN Attack or SYN Flooding

TCP SYN Attack or SYN Flooding

TCP SYN Attack or SYN Flooding

Related Terms: IPsec VPN, Firewall, TCP SYN Attack, Denial of Service, DDOS, TCP, UDP

‹ Spyware and Anti-Spyware Mitigations and TechnologiesupTCP Connecting Hijacking: MAN-In-The-Middle Attack ›