Also called SYN flooding, a form of denial of service attack directed at TCP/IP networks connected to the Internet. A SYN attack is a protocol-level attack that can make a computer’s network services unavailable to other users.
A malicious user initiates a SYN attack by sending a Transmission Control Protocol (TCP) connection request (SYN packet) to a targeted server in a network, usually a Web server. The attacker uses spoofing to alter the source IP address in the SYN packet. When the server receives the connection request, it allocates resources for handling and tracking the new connection and responds by sending a SYN-ACK packet to the nonexistent source address. Because there is no response to the SYN-ACK packet, the server continues to retransmit SYN-ACK several times (five times in Microsoft Windows NT) at increasingly longer time intervals. Finally, after the last retransmission, the server gives up and deallocates the resources previously allocated for the connection. For servers running Windows NT, the default time for this entire process is 189 seconds. The attacker configures software to automatically send large numbers of TCP SYNs in an attempt to tie up the server’s TCP resources and prevent other users from connecting to the server.
If you are running a Web server and your Web clients are receiving messages such as “The connection has been reset by the remote host,” you might be the target of a SYN attack. If you are running Internet Information Services (IIS) as your Web server, type netstat –n –p tcp at the command prompt to examine the number of TCP connections in a SYN_RECEIVED state. A large number of SYN_RECEIVED connections might indicate that your server is under attack.
SYN attacks against private networks are simple to prevent: you configure a firewall with access lists to accept only incoming IP addresses with known addresses. However, if you are running a Web server that needs to be accessible to anyone on the Internet, it is usually more difficult to defend the server against a SYN attack because if you configure an input filter, the attacker can simply modify the source IP address in the SYN packets. Ways to defend Web servers against SYN attacks include decreasing the time-out period for the TCP three-way handshake mechanism, increasing the size of the SYN-ACK queue, and applying various vendor-supplied patches to your Web server. For more information on configuring IIS servers to withstand SYN attacks, see the Microsoft Internet Information Server Resource Kit from Microsoft Press.