Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.
Understanding SYN Flood DDoS Attacks
A SYN distributed denial-of-service attack is a type of DDoS attack that affects the TCP protocol at Layer 4 of the OSI model, and attempts to take a network device, load balancer, session management device, or server offline by flooding it with requests to connect to its resources. Known as a “half-open attack,” a SYN flood attack exploits a common vulnerability in the TCP/IP handshake to overwhelm a server with TCP connections, preventing it from providing service to legitimate traffic and legitimate connections. This type of cyberattack can bring down devices that are capable of maintaining tens of millions of connections. The TCP SYN flood was first used by hackers in the early 1990s, most famously by Kevin Mitnick, who spoofed a TCP/IP connection for a DOS attack.
How do SYN flood attacks work?
A typical connection request between a legitimate client and server involves a TCP three-way handshake. A client/user requests a connection by sending a synchronize (SYN) packet to the server. The server acknowledges the request by sending a synchronize-acknowledge (SYN-ACK) packet to the client. The client responds with an acknowledge (ACK) message, and a connection is established. There are other TCP “flags” like RESET (RST), and predetermined timeout values that clients and targeted servers can transmit between each other, but at a high level, TCP is a connection-oriented protocol.
In SYN flood attacks, attackers can repeatedly send SYN packets to every port on a server, typically using a fake IP address or spoofed IP address, or to any single port. Because these requests seem like legitimate TCP connections, the server responds to each request with a SYN-ACK packet from every open port requested. The final ACK packet never arrives, and the server maintains a growing number of open port connections. Once all available ports have been opened, the server can no longer function normally and makes it extremely difficult to manage the TCP sequence number for real users.
What are the varieties of SYN flood attacks?
SYN flood attacks may be carried out in three ways:
- Non-spoofed IP addresses. When this method is deployed, it’s easier for the targeted company to identify attribution and mitigate it, but doing that safely is a challenge for network security and cybersecurity experts.
Spoofed IP addresses. In this approach, attackers spoof the source IP address of a trusted server or internet-connected device, making it harder to trace the packets and prevent the attack.
Distributed IP addresses. This form of SYN flood attack uses a botnet to send malicious packets from a distributed network of infected devices that may use their own IP address or a spoofed address to launch an attack that is more complex, larger in scale, and harder to mitigate.
What are SYN flood DDoS attacks designed to accomplish?
SYN flood DDoS attacks can cause significant performance problems for networks and systems. By crippling servers and taking them offline, SYN flood attacks can make services unavailable to legitimate users and cause loss of data. By taking servers offline, SYN flood attacks prevent legitimate users from accessing applications, data, and ecommerce sites. As a result, organizations may experience loss of sales, damage to reputation, disruption in critical infrastructure, and a loss of business continuity.
SYN flood DDoS attacks may also be used as a cover for other types of attacks such as ransomware, aka a “smokescreen.” By launching a SYN flood attack, attackers can cause security teams and DDoS mitigation to focus resources on one area or strategy, while malicious actors attack another part of the system.
How can SYN flood attacks be mitigated?
Common techniques for mitigating SYN flood DDoS attacks include:
- Intrusion detection systems (IDS) that can detect and block malicious traffic from a SYN flood attack and other DDoS attacks, if non-spoofed source IPs are used
- Rate-limiting techniques that limit the number of SYN requests or SYN packets per second that can be sent to a server at any one time
- Configuring a larger backlog queue to increase the number of “half-opened” connections allowed
- Deployment of solutions for greater network visibility that allow security teams to see and analyze traffic from different parts of the network
- SYN cookies that use cryptographic hashing in the ACK packet to verify connections before allocating memory resources, aka anti-spoofing methods
- Recycling the oldest half-open connection to create space for new connections and ensure that systems stay accessible during flood attacks
- Firewalls that can filter out illegitimate SYN packets (but these come at a performance cost)
- Cloud DDoS mitigation
Stop SYN flood attacks with Akamai
Akamai secures and delivers digital experiences for the world’s largest companies. By keeping decisions, apps, and experiences closer to users — and attacks and threats farther away — we enable our customers and their networks to be fast, smart, and secure.
Our end-to-end DDoS and DoS protection solutions provide a holistic approach that serves as the first line of defense. With dedicated edge, distributed DNS, and network cloud mitigation strategies, our anti-DDoS technologies prevent collateral damage and single points of failure to provide our customers with increased resiliency, dedicated scrubbing capacity, and higher quality of mitigation.
App & API Protector provides a holistic set of powerful protections with customer-focused automation. While this solution offers some of the most advanced application security automation available today, it remains simple to use. A new adaptive security engine and industry-leading core technologies enable DDoS protection, API security, bot mitigation, and a web application firewall in an easy-to-use solution.
Prolexic stops DDoS attacks with the fastest and most effective defense at scale. Offering a zero-second SLA for DDoS defense, Prolexic proactively reduces attack services and customizes mitigation controls to network traffic to block attacks instantly. Having a fully managed SOCC complements your existing cybersecurity programs and will help augment your time to resolution with industry-proven experiences.
Edge DNS prevents DNS outages with the largest edge platform, enabling organizations to count on guaranteed, nonstop DNS availability. A cloud-based solution, Edge DNS ensures 24/7 DNS availability while improving responsiveness and defending against the largest DDoS attacks.