Common Network Attack Strategies: SYN Flooding
A SYN-flood is a network attack where the attacking device sends a series of SYN requests with the goal of overwhelming the network system. In the TCP world, your network devices are capable of handling a limited number of connections. It’s a high number, but it’s limited based on the device and its configuration. (SYN is an abbreviation for synchronize.)
What the attacking system does not do is respond to any of those returned SYN-ACK packets. Because you have a limited number of listening connections on your system, for a relatively short period of time, you cannot accept a new connection because all the lines are busy waiting for ACK packets from the person who opened all the connections.
SYN flooding is a denial-of-service attack because legitimate users of the system cannot connect and do what they would typically be able to. This attack may interrupt services, or it may be an attempt to fill log files so that the actual attack does not leave any trances.
After one of your systems has been targeted by a SYN flood, you may be able to connect to the flooded system and clear these half-opened connections rather than waiting for the system to time them out and clear them on its own schedule. Although SYN flooding is an old attack, it is still an effective attack on many systems.
Cisco devices allow you to do a few things to reduce the effectiveness of these attacks:
Increasing the TCP backlog
Reducing the SYN-RECEIVED timer
Implementing a SYN cache
Implementing SYN cookies