Quiz Entry - updated: 2026.06.26
What is a SYN flood attack and why does the TCP handshake make it possible?
The attacker sends a flood of SYN packets with spoofed source IPs; the server reserves a half-open connection for each and waits for an ACK that never comes, exhausting its connection table.
The TCP three-way handshake is SYN → SYN-ACK → ACK. After step 2, the server has allocated a TCB (Transmission Control Block) and is waiting for step 3. If step 3 never arrives, the slot sits there until a timeout (often 30–60 s). Fill all the slots and legitimate clients can't connect.
The spoofed source IP serves two purposes:
- The SYN-ACK goes to some random victim, so the attacker doesn't waste their own bandwidth on replies.
- It hides the attacker's real address and makes filtering harder.
Mitigations:
- SYN cookies — don't allocate state until the third packet arrives, encode the necessary state into the SYN-ACK sequence number.
- Connection rate limiting at the firewall.
- Increasing the backlog queue (a stopgap).
Tip: SYN floods sit at the Transport layer — your application code can't fix them; the OS/kernel and network gear have to.