What is SYN flooding attack and what are the best remediation mechanisms?
SYN Flooding attack is DoS attack that floods a server with a half-open SYN request in the three-way handshake connection establishment. The three-way handshake is used to establish connection between communicating parties through [SYN – SYN/ACK – ACK]. The attacker blindly sends the SYN request without waiting for connection completion via an ACK response. The intent of the attack is to deplete the resources of the server and make it nonresponsive. Moreover, the attacker may not stop there and rather may conspire to launch further attacks such as IP spoofing.
The attacker repeatedly sends TCP SYN segments to every port on the server potentially using a spoofed IP address. The server responds to each request with a SYN+ACK segment assuming that the traffic is coming from valid hosts. However, the attacker will never send back ACK segment and make the server hung-up until the connection is closed.
The best protection against SYN flooding will be increasing backlog queues, patched firewalls, just to name a few.