How SYN Attacks Happen

In a normal message exchange, a client initiates access to your server by contacting your system. The client first sends a SYN message; your server responds to the client with a SYN-ACK message. Your server retains this half-open TCP port connection until the client returns an ACK (acknowledgment) message and establishes a connection.

A SYN attack (also called "SYN flooding") occurs when your server receives a SYN message with an incorrect source IP address. Your system responds with a SYN-ACK message and waits for an ACK reply that never arrives.

In the meantime, the intruder sends more SYN messages with incorrect IP addresses. Your server sets up a queue for each of these half-open connections.

Although your server can eventually become hindered in responding to legitimate users, these queues are small and do not necessarily place extraordinary demands on your server's processing capacity. But during a SYN attack, a given TCP port reaches its limit of half-open connections and, until resources are freed up, responds to further connection requests with a port reset. Thus, the intentional proliferation of half-open connections can prevent legitimate users from gaining access to the attacked server. This can shut down operations for an organization dependent on access by Internet, such as an Internet service provider.