Description: The TCP SYN flood is a type of distributed denial-of-service (DDoS) attack that exploits the TCP handshake process. This attack is carried out by sending a large number of SYN connection requests to a target server, causing the server to become overwhelmed and unable to handle legitimate requests. In the TCP protocol, the connection process is established through a three-step exchange known as the ‘three-way handshake’. During this process, the client sends a SYN packet to the server, which responds with a SYN-ACK packet, and finally, the client sends an ACK packet to complete the connection. However, in a SYN flood attack, the attacker sends multiple SYN packets without completing the process, leaving the server waiting for responses that never arrive. This consumes server resources, such as memory and processing capacity, and can lead to connection saturation, resulting in denial of service for legitimate users. The TCP SYN flood is particularly dangerous because it can be executed relatively easily and does not require a large bandwidth from the attacker, making it a popular technique among cybercriminals. Protection against such attacks is crucial to maintain the availability and integrity of online services.
History: The TCP SYN flood attack was first documented in the 1990s when vulnerabilities in the TCP protocol began to be identified. As the Internet grew, so did attack techniques, and the SYN flood became one of the most common forms of DDoS. In 1996, a paper was published describing this type of attack, leading to increased interest in network security and the need to develop effective countermeasures. Over time, various mitigation techniques have been implemented, such as the use of firewalls and intrusion detection systems, to protect against these attacks.
Uses: The TCP SYN flood is primarily used as a DDoS attack technique to disrupt the availability of online services. Attackers may employ this technique to disable web servers, cloud applications, and other critical resources, impacting businesses and organizations. Additionally, it has been used in extortion attacks, where attackers threaten to carry out an attack unless a ransom is paid.
Examples: A notable case of a TCP SYN flood attack occurred in 2000 when the e-commerce website eBay was attacked, resulting in significant disruption of its services. Another example is the attack on the University of California, Berkeley in 2003, where a SYN flood was used to disable access to its servers for several hours.
