SYN Flooding

Notes:

SYN flooding is a recent but very dangerous denial of service (DOS) attack. Unlike other DOS attacks such as mail bombing it involves very little traffic on the attackers side, it can therefore be launched from a low speed dial-up connection but be deadly effective against even the most powerful of servers.
SYN flooding exploits the way TCP makes reliable connections. Before a TCP connection is fully opened, sequence numbers have to exchanged. A SYN flood attack sends a SYN request to a server with the source address spoofed to be that of a non-existent system. The server will allocate various data buffers and then send an acknowledgment to the client. The server has a finite capacity for maintaining these half open connections but the process is normally expedited fairly quickly. However where the system doesn’t exist the TCP layer will wait many minutes for final acknowledgment before timing out. The TCP layer ignores ICMP messages telling it that the spoofed client or network doesn’t exist, it makes the assumption that these are transient errors.
It is therefore fairly easy to tie a server up processing these requests, in extreme cases such as when all available services are flooded, the system can crash due to memory exhaustion.
There is no sure prevention against this form of attack. Packet filtering techniques to prevent spoofing can stop attacks being launched from a network but as the incoming packets don’t rely on having a local source address input filter is ineffective. Detection may be possible, too many connections in the SYN_RECEIVED state is indicative of an attack. The connections could then automatically be sent reset messages. The TCP layers in many Unix implementations and NT (service pack 2) have been altered to be less vulnerable to this kind of attack, interestingly the fix to Linux was available just some hours after the attack was discovered!

Ref: CERT Advisory CA-96.21