SYN floods are, by far, the most common type of DDoS attacks, and they are typically directed at a service such as HTTP. A SYN packet is the first packet sent from the host to a server requesting a connection via TCP. All TCP connections must be set up via the three-way handshake per TCP RFC 793. Figure 7-10 shows an example of a normal TCP setup.
Figure 7-10. TCP Three-way handshake
The SYN flood attack is attempting to exploit the way TCP sets up its connections. Once a SYN packet is sent, the server sends a SYN/ACK packet in return and listens for the acknowledgment. This causes the server to hang as it listens and waits for that ACK packet.
Multiple vectors are being attacked with a SYN flood. The first major vector concerns the fact that the server is processing the initial SYN request and creating a SYN/ACK packet to reply with, which obviously exhausts resources. The second major vector is the number of idle and hanging sockets that are opened while waiting for the ACK packet to come back from the originating source. This could be an issue on any item that keeps state, such as load balancers, firewalls, proxies, servers, and so on.
So, how do you prevent these types of SYN floods from impacting your elements and infrastructure? The first preventive measure, as with every other flood configuration, is to understand how your network flows. Traffic should be monitored ...