Half Open Connections
When a server receives a TCP SYN it replies with a SYN ACK and allocates state for a half open connection while it waits for the final ACK. That state lives in a limited queue.
The Attack
A SYN flood abuses this. The attacker sends a torrent of SYN segments, often with spoofed source addresses, and never completes the handshake.
- Each SYN consumes a slot in the half open queue.
- The final ACK never arrives, so slots are held until they time out.
- The queue fills and legitimate clients are refused.
Because the sources are spoofed, simply blocking addresses does not help.
SYN Cookies
SYN cookies defend without keeping per connection state. Instead of storing the half open connection, the server encodes the needed information into the initial sequence number it sends in the SYN ACK.
- The sequence number is a cryptographic function of the connection details.
- The server allocates no memory for the half open connection.
- When a real client returns the final ACK, the server reconstructs the state from the acknowledged number.
A flood of SYNs that never complete therefore costs the server almost nothing, while genuine clients connect normally.
Key idea
A SYN flood exhausts the half open connection queue with incomplete handshakes, and SYN cookies defend by encoding connection state into the sequence number so the server stores nothing until a real ACK returns.