The TCP SYN attack is made possible because establishing a TCP connection involves a so-called threeway handshake. The client starts the connection by sending a packet with the SYN flag set; it also specifies an Initial Sequence Number (ISN). The server replies to this with a packet that has both the SYN and the ACK flags set; it contains an acknowledgement for the ISN of the client and the ISN of the server. The connection is finalized when the client replies to this message with an ACK packet that acknowledges the ISN of the server. In order for the server to be able to verify that the final ACK packet is indeed a reply to the SYN ACK, it has to compare the acknowledged sequence number with the ISN it gave the client; thus, it is necessary to establish a state when the SYN ACK packet is sent and to maintain it for some time: either until the final ACK arrives, or until it times out. The attacker thus merely needs to send copious amounts of SYN packets (perhaps using spoofed source addresses). He or she ignores the SYNACK packets of the victim and never finalizes the connection. After a while, the finite connection backlog of the victim will be full and no further TCP connections to the attacked port will be possible.
[1]
Kang G. Shin,et al.
Detecting SYN flooding attacks
,
2002,
Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.
[2]
Kang G. Shin,et al.
Hop-count filtering: an effective defense against spoofed DDoS traffic
,
2003,
CCS '03.
[3]
Steven M. Bellovin,et al.
Implementing Pushback: Router-Based Defense Against DDoS Attacks
,
2002,
NDSS.
[4]
Ratul Mahajan,et al.
Controlling high bandwidth aggregates in the network
,
2002,
CCRV.
[5]
Thomer M. Gil,et al.
MULTOPS: A Data-Structure for Bandwidth Attack Detection
,
2001,
USENIX Security Symposium.