What is a SYN attack?
December 24, 2002
A. The SYN (TCP connection request) attack is a common denial of service (DoS) technique characterized by the following pattern:
Using a spoofed IP address not in use on the Internet, an attacker sends multiple SYN packets to the target machine.
For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address.
Because the target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times, at 3-, 6-, 12-, 24-, and 48-second intervals, before unallocating the resources 96 seconds after attempting the last retry. If you add it all together, you can see that the target machine allocates resources for more than 3 minutes to respond to just one SYN attack.
When an attacker uses this technique repeatedly, the target machine eventually runs out of resources and is unable to handle any more connections, thereby denying service to legitimate users.
To determine whether your systems might be vulnerable to this type of attack, from the command prompt type
netstat -n -p tcp
Look at the output for entries in a state of SYN_RECEIVED. If you notice multiple entries, your system is vulnerable to attack. For information on how to protect yourself from such DoS attacks, see "How can I protect my system from a Denial of Service (DoS) attack?".
About the Author
You May Also Like