What is a SYN flood attack? How it works and how to stop it

S
Secuirty Team

10 min read

What is a SYN flood attack? How it works and how to stop it

SYN flood attacks have been around since the mid-1990s, yet they remain one of the most common and disruptive DDoS techniques targeting servers today. The reason is simple: they exploit a design flaw in the TCP protocol itself, something that cannot be patched away, only mitigated.

At its core, a SYN flood attack works by overwhelming a server's connection queue with half-open TCP requests. The server waits for a final confirmation that never arrives, burning through memory and processing power until it can no longer accept traffic from real users.

This article explains what a syn flood attack is, how it works behind the scenes, and the practical mitigation techniques that can help keep websites, applications, and networks secure.

What is a SYN flood attack?Link to heading

What is a SYN flood attack?

A SYN flood attack, also known as a half-open attack, is a form of distributed denial-of-service (DDoS) attack designed to make a server or online service unavailable to legitimate users. The attack works by exhausting the target server’s available resources, preventing it from handling normal traffic efficiently.

The attacker floods the target with a continuous stream of SYN (synchronization) packets, rapidly occupying all available ports until the server becomes too overwhelmed to respond to real users normally.

How does a SYN flood attack work?Link to heading

To understand the attack, you first need to understand how a normal TCP connection is established. TCP uses a three-step process called the three-way handshake before any data can be exchanged:

  • The process begins when a client sends a SYN packet to the server to request a new connection.
  • The server replies with a SYN/ACK packet, confirming it received the request and is ready to proceed. 
  • The client then sends back a final ACK packet, completing the handshake and opening the connection for data transfer.

A SYN flood attack deliberately breaks this process at the final step. Here is how the attack unfolds:

  • The attacker sends a massive volume of SYN packets to the target server, typically using spoofed source IP addresses to conceal their identity. 
  • The server processes each request, allocates resources, and sends back a SYN/ACK response, reserving an open port while it waits for the client's final ACK. 
  • That final ACK never comes. Meanwhile, the attacker keeps sending more SYN packets, forcing the server to keep opening new half-complete connections. Each one consumes a port and a portion of server memory for the duration of the timeout period. Once all available ports are occupied by these hanging connections, the server can no longer accept traffic from legitimate users.

In networking terms, a connection where one side is waiting and the other has gone silent is called a half-open connection. This attack exploits that state at scale, intentionally leaving hundreds or thousands of connections in limbo until the server's resources are completely exhausted and it stops functioning normally.

A SYN flood attack can be carried out in three distinct ways, each varying in how the attacker conceals their identity and scales the attack.

Direct attack

Direct attack

In a direct attack, the attacker makes no attempt to hide their IP address. The SYN flood originates from a single device using its real, unmasked source address, which makes this method the easiest to detect and block. 

To keep the targeted server stuck in a half-open state, the attacker configures their machine to ignore all incoming SYN-ACK responses, either through firewall rules that drop everything except outgoing SYN packets, or by filtering out SYN-ACK packets before they reach the attacking machine. Because the source IP is visible, defenders can shut down the attack simply by blocking that address. 

For this reason, direct attacks are rarely used in practice, unless the attacker is operating through a botnet like Mirai, where concealing the IP of each infected device is not a priority.

Spoofed attack

A more evasive approach involves forging the source IP address on every SYN packet sent to the target. This makes it significantly harder to trace the attack back to its origin and complicates any mitigation effort. That said, spoofed packets are not completely untraceable. 

With cooperation from Internet Service Providers and careful network forensics, it is sometimes possible to follow the trail back to the real source, though the process is time-consuming and rarely straightforward.

Distributed attack

When a botnet is used to launch the SYN flood across many compromised devices simultaneously, tracing the attack to a single origin becomes extremely difficult. An attacker can further obscure the source by instructing each device in the botnet to also spoof its IP address, adding another layer of misdirection. This combination of distribution and spoofing makes distributed SYN flood attacks among the hardest to attribute and shut down.

One of the reasons SYN flood attacks remain widely used is their efficiency. Unlike volumetric DDoS attacks that require enormous amounts of traffic to saturate a target's network infrastructure, a SYN flood only needs to generate enough requests to fill the target server's connection backlog. 

If the attacker knows the backlog size and the connection timeout duration of the target system, they can calculate the precise volume of packets needed to render the server unresponsive, achieving denial-of-service with far less bandwidth than most other attack methods require.

>>> Learn more: DoS vs DDoS: What’s the difference and how to stop them

Common signs of a SYN Flood attackLink to heading

Common signs of a SYN Flood attack

Sudden drop in system performanceLink to heading

This is typically the first and most noticeable sign. CPU usage spikes to abnormal levels, available RAM gets consumed rapidly, and network bandwidth becomes almost entirely saturated. The server starts struggling to handle even basic operations, and the degradation can happen within seconds of the attack beginning.

Slow response timesLink to heading

Legitimate user requests take significantly longer to process, and in many cases, connections time out entirely. Websites become unresponsive or take an unusually long time to load, which directly impacts the experience of real visitors trying to access your services.

Inability to establish new connectionsLink to heading

All TCP-dependent services on the server become disrupted. Users can no longer access the website, send or receive emails, or perform any action that requires an active TCP connection. The server is still technically running, but it is unable to serve anyone.

Abnormal system logsLink to heading

Reviewing your server logs will reveal a large number of incomplete TCP connection requests originating from multiple different IP addresses. This pattern is one of the clearest indicators that a SYN flood attack is actively targeting your server, and it should trigger an immediate investigation.

What are the consequences of a SYN flood attack?Link to heading

Service and system disruptionLink to heading

The server can become fully paralyzed, bringing all online business operations to a halt. Beyond the immediate loss of revenue, the degraded experience drives users away and damages trust in the platform.

Financial and reputational damageLink to heading

Financial and reputational damage

When a website goes down, both existing customers and potential new ones are lost, with a direct impact on revenue. The damage to brand reputation can be equally serious. Businesses with unstable or unreliable infrastructure quickly lose credibility, and rebuilding that trust takes far longer than recovering the system itself.

Security risksLink to heading

Perhaps the most dangerous aspect is that a SYN flood attack is sometimes used as a distraction. While the network team is focused on handling the flood of incoming SYN packets, attackers may quietly carry out a second, more targeted operation in the background, such as stealing sensitive data or deploying malware onto the compromised system.

How is a SYN flood attack mitigated?Link to heading

SYN flood vulnerabilities have been well understood for decades, and several effective mitigation strategies have been developed over time. The most widely used approaches are outlined below.

Increasing the backlog queueLink to heading

Every operating system limits how many half-open connections it will hold at any given time. One straightforward way to handle a surge of SYN packets is to raise that limit, giving the server more room to absorb incoming requests without immediately becoming overwhelmed. However, a larger backlog queue requires additional memory to support it. 

If the server does not have enough available memory to handle the expanded queue, overall system performance may suffer. Even so, degraded performance is generally preferable to a full denial-of-service condition.

Recycling the oldest half-open connectionsLink to heading

Another approach is to configure the server to overwrite its oldest half-open connection once the backlog reaches capacity, freeing up space for newer requests. This works on the assumption that legitimate connections will complete their handshake faster than an attacker can fill the queue with malicious SYN packets. 

The weakness of this method is that it breaks down under high-volume attacks or when the backlog size is simply too small to provide a meaningful buffer.

SYN cookiesLink to heading

SYN cookies

SYN cookies are widely considered the most effective server-side defense. When the backlog fills up, instead of holding each incoming SYN request in memory, the server generates a cryptographic cookie and sends it back in the SYN-ACK response, then immediately removes the request from the backlog and frees the port. 

If the connection is legitimate, the client returns a final ACK containing that cookie value, and the server uses it to reconstruct the connection entry. This approach keeps ports available under attack conditions, though it does involve a small trade-off in that some TCP connection details are not fully preserved. For most scenarios, that trade-off is well worth avoiding a complete service outage.

ConclusionLink to heading

A SYN flood attack remains one of the most effective ways attackers can disrupt online services by exploiting weaknesses in the TCP connection process itself. Even though the technique has existed for decades, it continues to affect websites, applications, and enterprise infrastructure because it requires relatively little bandwidth to cause serious damage.

The good news is that SYN flood attacks can be mitigated with the right defensive strategies. Technologies such as SYN cookies, traffic filtering, rate limiting, and modern DDoS protection systems play a critical role in keeping servers stable under attack conditions. 

>>> Could your website survive thousands of fake TCP requests at the same time? Turn on W7SFW and strengthen your WordPress security with advanced firewall protection designed for modern cyber threats.

Related posts

Get In Touch
with our security experts.
Whether you need a custom enterprise plan or technical support, we are here to help. Expect a response within 24 hours.