TCP is the most common transport layer protocol. It is used by many application layer protocols like the HyperText Transfer Protocol (HTTP) and FTP.TCP is connection oriented and it  maintains information about buffers, windows, and other resources to count segments and track lost segments.

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the “TCP three-way handshake.”

Whenever a server receives a SYN segment from a client, it sets aside some resources (e.g., memory) anticipating a completed handshake and subsequent data transfer. As there are limited resources at a server, only a set number of connections can be accepted. Other requests are dropped.

The TCP SYN flood attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or nonexistent host, the last part of the “three-way handshake” is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute.

By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services such as e-mail, file Transfer or WWW to legitimate users.

There is no easy way to trace the originator of the attack because the IP address of the source is forged.

syn-flood-attack