SYN flooding

When an attack begins, the server sees the equivalent of multiple attempts to establish communications. The server responds to each attempt with a SYN/ACK (synchronization acknowledged) packet from each open port, and with a RST (reset) packet from each closed port. In a normal three-way handshake, the client would return an ACK (acknowledged) packet to confirm that the server's SYN/ACK packet was received, and communications would then commence. However, in a SYN flood, the ACK packet is never sent back by the hostile client. Instead, the hostile client program sends repeated SYN requests to all the server's ports.

The hostile client makes the SYN requests all appear valid, but because the IP addresses are fake ones, it is impossible for the server to close down the connection by sending RST packets back to the hostile client. Instead, the connection stays open. Before time-out can occur, another SYN packet arrives from the hostile client. A connection of this type is called a half-open connection. Under these conditions, the server becomes completely or almost completely busy with the hostile client. Communications with legitimate clients is difficult or impossible.

A hostile client can exploit half-open connections and possibly get access to server files. The transmission by a hostile client of SYN packets for the purpose of finding open ports and hacking into one or more of them, is called SYN scanning. A hostile client always knows a port is open when the server responds with a SYN/ACK packet.

Learn more about Application Attacks (Buffer Overflows, Cross-Site Scripting)

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - Internet Security Systems suggests ways of defending against SYN flooding attacks. - Edward Hurley's article on SearchSecurity.com mentions that a Mydoom worm variant uses SYN flooding.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Adobe warns of critical update for Reader, Acrobat 9.1.3 An Adobe update next week will repair a critical zero-day flaw being actively targeted by attackers. 9 Ways to Improve Application Security After an Incident Application and security teams work in silos and often meet only after an attack. Here are nine tips to prevent future costly incidents and improve... Developers Need Help with Security Errors SQL injection attacks continue to plague Web applications. Companies need to invest in technology and education to hold off hackers.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com)