LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What is a SYN flood attack and why does the TCP handshake make it possible?

The attacker sends a flood of SYN packets with spoofed source IPs; the server reserves a half-open connection for each and waits for an ACK that never comes, exhausting its connection table.

The TCP three-way handshake is SYN → SYN-ACK → ACK. After step 2, the server has allocated a TCB (Transmission Control Block) and is waiting for step 3. If step 3 never arrives, the slot sits there until a timeout (often 30–60 s). Fill all the slots and legitimate clients can't connect.

The spoofed source IP serves two purposes:

  • The SYN-ACK goes to some random victim, so the attacker doesn't waste their own bandwidth on replies.
  • It hides the attacker's real address and makes filtering harder.

Mitigations:

  • SYN cookies — don't allocate state until the third packet arrives, encode the necessary state into the SYN-ACK sequence number.
  • Connection rate limiting at the firewall.
  • Increasing the backlog queue (a stopgap).

Tip: SYN floods sit at the Transport layer — your application code can't fix them; the OS/kernel and network gear have to.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026