How to defend against a sync flood attack

Nick Lewis explains how to protect your organization from sync flood attacks.

Nick Lewis

What are some ways to protect against sync flood attacks?

A Sync flood attack, better known as a SYN attack, has its origins as one of the original types of distributed denial-of-service (DDoS) attacks and have not been significant threats to enterprises today. Most CERT advice from 1996 still applies to modern systems, but obviously many improvements have been made in the last 15 years.

A SYN attack is one where an attacker makes an initial connection to a victim computer and the victim computer waits for the completion of the connection. The attack is exploiting part of the three-way handshake in TCP for establishing reliable connections. When the initial connection is left open, it consumes resources on the victim computer until it runs out of connections or has other issues.

To protect against sync flood attacks, you have several options. The attacks can be detected by standard intrusion detection systems (IDS) and could also be blocked or minimized by built-in features in firewalls and other devices. Further protections could include lowering timeouts for how long a system waits for another system to complete the three-way handshake or having your ISP block the attacks.

This was last published in May 2010

How to defend against a sync flood attack

Nick Lewis explains how to protect your organization from sync flood attacks.

Dig Deeper on DDoS attack detection and prevention

SYN scanning

distributed denial-of-service (DDoS) attack

denial-of-service attack

7 TCP/IP vulnerabilities and how to prevent them

Related Q&A from Nick Lewis

What are port scan attacks and how can they be prevented?

Explore benefits and challenges of cloud penetration testing

What are the best criteria to use to evaluate cloud service providers?