The Half Open Trap
A TCP connection begins with a three way handshake. A SYN flood abuses this by sending many SYN packets but never completing the handshake.
- For each SYN, the server allocates memory and replies with a SYN ACK.
- The attacker never sends the final ACK, leaving a half open connection.
- The backlog queue of half open entries fills up, so real clients are refused.
Spoofed source addresses make the floods hard to trace and ensure replies go nowhere.
SYN Cookies
The main defense is the SYN cookie.
- Instead of storing state on the first SYN, the server encodes connection details into the sequence number it sends back.
- The server keeps nothing in the backlog.
- When a genuine final ACK arrives, the returned number lets the server reconstruct the connection.
This means a flood of SYNs that never complete costs the server no memory.
Supporting Tactics
Other measures help reduce exposure.
- Larger backlog queues buy time under moderate floods.
- Shorter timeouts free half open slots faster.
- Upstream filtering drops obviously spoofed traffic.
Key idea
A SYN flood fills the backlog with half open connections, and SYN cookies defeat it by encoding connection state into the sequence number so the server stores nothing until a real ACK returns.