Skip to main content
CriticalProtected by PowerWAF

SYN Flood Attack

CategoryDDoSFirst seen1996Read time10 minVerified2026-03-11
DEFINITION

A SYN flood is a denial-of-service attack that exploits the TCP three-way handshake by sending massive volumes of SYN packets with spoofed source IP addresses. The target server allocates resources for each half-open connection and waits for a final ACK that never arrives, exhausting its connection state table and making it unable to accept legitimate TCP connections.

RFC 4987 – TCP SYN Flooding Attacks and Common MitigationsCWE-400: Uncontrolled Resource ConsumptionOWASP Denial of Service Cheat SheetBCP 38 – Network Ingress Filtering (Anti-Spoofing)

How SYN Flood Attack Works

Every TCP connection begins with a three-way handshake: the client sends SYN, the server responds with SYN-ACK and allocates a Transmission Control Block (TCB) to track the pending connection, and the client completes with ACK. A SYN flood weaponizes this by sending SYN packets from forged IP addresses at enormous rates β€” millions per second in modern attacks. The server dutifully allocates a TCB for each one and sends SYN-ACKs to addresses that either don't exist or never initiated the connection. Each TCB consumes memory (typically 280-700 bytes depending on the OS) and persists for 60-75 seconds until timeout. With enough SYN packets, the backlog queue fills entirely, and the kernel silently drops all new connection attempts β€” including those from real users.

1

Forge source addresses and flood SYN packets

The attacker uses raw sockets or a botnet to generate TCP SYN packets at rates of hundreds of thousands to millions per second. Each packet carries a spoofed source IP address β€” either randomized, drawn from non-routable ranges, or set to real but uninvolved hosts. The spoofing serves two purposes: it prevents the attacker's real IP from being blocked, and it ensures the handshake can never complete because the SYN-ACK replies go to addresses that never initiated the connection.

2

Force the server to allocate connection state

For every SYN received, the server's TCP stack allocates a Transmission Control Block (TCB) in kernel memory, records the client's sequence number, generates its own initial sequence number, and sends a SYN-ACK back to the spoofed address. This allocation happens before any application logic runs β€” the operating system itself is the target. The TCB sits in the SYN_RECEIVED state, occupying space in the backlog queue that has a finite, configured size (typically 128-1024 entries per listening socket).

3

Exhaust the backlog queue with half-open connections

The SYN-ACK packets either reach non-existent hosts (no response) or real hosts that send RST because they never initiated the connection (ignored by the attacker's continued flood). The server retransmits the SYN-ACK 3-5 times at exponential intervals before giving up, keeping each TCB alive for 60-75 seconds. Meanwhile, new SYN packets arrive far faster than old entries expire. The backlog queue for each listening port fills completely.

4

Deny service to legitimate users

Once the backlog queue is full, the kernel drops all incoming SYN packets for that port β€” legitimate users receive no response at all, experiencing connection timeouts. Unlike application-layer attacks that return error messages, SYN floods cause complete silence: no TCP RST, no HTTP error, no indication that the server exists. Load balancers, reverse proxies, and even firewalls can be overwhelmed if they maintain connection state tables of their own.

5

Sustain the flood to outlast timeouts

The attacker maintains the packet rate above the threshold needed to keep the backlog queue full as old entries expire. With a 75-second timeout and a backlog of 1024, the attacker needs to sustain just ~14 SYN packets per second to keep the queue full β€” trivial even from a single machine. Modern distributed SYN floods using botnets send millions of packets per second, overwhelming even servers with enlarged backlog queues and aggressive timeouts.

Real-World Examples

1996

Panix ISP β€” the first major SYN flood

Panix, one of the oldest commercial ISPs in New York, was taken offline for over 36 hours by a SYN flood sending 150-210 spoofed SYN packets per second β€” the first high-profile incident of its kind. CERT issued Advisory CA-1996-21, bringing SYN floods to mainstream awareness. Just seven days later, Daniel J. Bernstein and Eric Schenck proposed SYN cookies as a defense, fundamentally changing how operating systems handle TCP connection state.

2022

Ukrainian banks and government DDoS campaign

On February 15, 2022, a coordinated DDoS campaign including SYN floods took down the websites of Ukraine's Ministry of Defense, Armed Forces, PrivatBank, and Oschadbank β€” the country's two largest state-owned banks. Mobile banking apps and online payments became inaccessible for over two hours, affecting millions of customers during a period of heightened geopolitical tension. The attack, attributed to Russian state actors, demonstrated how SYN floods against financial infrastructure can amplify the impact of broader conflict operations.

2024

OVHcloud record-breaking packet-rate attacks

In April 2024, OVHcloud mitigated a record-breaking DDoS attack peaking at 840 million packets per second, composed of 99% TCP ACK packets from approximately 5,000 source IPs β€” primarily compromised MikroTik cloud core routers. By October 2024, the hosting provider faced a sustained two-week campaign with over 40 attacks ranging from 2 Tbps to a record 4.2 Tbps. The incidents highlighted the escalating scale of TCP-based floods and the role of compromised network equipment in amplifying packet-rate attacks.

Impact & Risk Assessment

SYN floods are uniquely dangerous because they attack the operating system's TCP stack directly, below the application layer, meaning no application-level defense (WAF, rate limiting, authentication) can help once the backlog queue is exhausted. The impact is binary and total: once the queue fills, the server accepts zero new connections on the targeted port. Web servers, databases, mail servers, VPN gateways, and any TCP-based service become completely unreachable. Unlike volumetric attacks that require bandwidth exceeding the target's capacity, SYN floods can deny service with relatively modest bandwidth β€” a 1 Gbps SYN flood generates enough packets to overwhelm most unprotected servers. Financial impact includes direct revenue loss during downtime, SLA penalties, emergency mitigation costs ($3,000-$50,000+ per incident for scrubbing services), and reputational damage. Critical infrastructure targets (healthcare, banking, government) face regulatory consequences and potential physical safety risks when services become unavailable.

How to Detect SYN Flood Attack

Monitor the ratio of SYN packets to established connections β€” during normal operation this ratio is close to 1:1, while during a SYN flood it skyrockets as connections fail to complete. Track the number of connections in SYN_RECEIVED state using netstat or ss; a sudden increase from dozens to thousands indicates an active flood. Analyze source IP diversity: legitimate traffic comes from relatively stable IP pools, while SYN floods show thousands of unique source IPs, often from non-routable ranges (RFC 1918), bogon addresses, or geographically impossible distributions. Monitor the backlog queue utilization for each listening socket β€” approaching maximum capacity is a critical warning. Network flow analysis tools (NetFlow, sFlow, IPFIX) can identify SYN-heavy traffic patterns at the network perimeter before they impact servers. Deploy Intrusion Detection Systems with signatures for SYN flood characteristics: high SYN rate from diverse sources, SYN packets with unusual TCP options or window sizes, and SYN-ACK retransmission spikes indicating unanswered handshakes.

How to Prevent SYN Flood Attack

Enable SYN cookies at the operating system level β€” this is the most effective single mitigation. SYN cookies encode the connection state in the SYN-ACK sequence number rather than allocating a TCB, allowing the server to validate returning ACKs without maintaining state for half-open connections. Increase the TCP backlog queue size (net.ipv4.tcp_max_syn_backlog on Linux) and reduce the SYN-RECEIVED timeout (net.ipv4.tcp_synack_retries) to expire half-open connections faster. Deploy a reverse proxy or load balancer that terminates TCP connections on behalf of backend servers β€” the proxy absorbs the SYN flood while backends remain protected. Implement BCP 38 (RFC 2827) source address validation at the network edge to prevent IP spoofing from your network and advocate for its adoption by upstream providers. For high-value targets, deploy dedicated DDoS protection services (cloud-based scrubbing centers) that can absorb SYN floods of any size before traffic reaches your infrastructure. Configure firewalls with SYN rate limiting per source IP and enable TCP SYN proxy mode where available.

Code Examples

Mitigation: Linux kernel TCP hardening (sysctl)
# Enable SYN cookies β€” the most important single defense
# Activates automatically when backlog queue fills
sysctl -w net.ipv4.tcp_syncookies=1

# Increase the SYN backlog queue (default is often 128-256)
sysctl -w net.ipv4.tcp_max_syn_backlog=65535

# Reduce SYN-ACK retransmissions (default 5 β†’ ~180s; reduce to 2 β†’ ~15s)
# Half-open connections expire faster, freeing backlog slots
sysctl -w net.ipv4.tcp_synack_retries=2

# Increase the system-wide connection tracking table
sysctl -w net.netfilter.nf_conntrack_max=1000000

# Enable TCP timestamps (required for SYN cookie MSS encoding)
sysctl -w net.ipv4.tcp_timestamps=1

# Increase the listen() backlog maximum
sysctl -w net.core.somaxconn=65535

# Rate-limit incoming SYN packets per source with iptables
# Allow 10 new connections/sec per IP, burst of 20
iptables -A INPUT -p tcp --syn -m hashlimit \
  --hashlimit-above 10/sec \
  --hashlimit-burst 20 \
  --hashlimit-mode srcip \
  --hashlimit-name syn_flood \
  -j DROP

# Drop packets from non-routable source IPs (anti-spoofing)
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/4 -j DROP

# Persist across reboots
sysctl -p
Detection: Monitor half-open connections and SYN ratio
import subprocess
import re
import time
import logging

logger = logging.getLogger('syn_flood_monitor')

def get_tcp_state_counts():
    """Parse ss output to count connections by TCP state"""
    result = subprocess.run(
        ['ss', '-tan', 'state', 'all'],
        capture_output=True, text=True
    )
    
    states = {}
    for line in result.stdout.strip().split('\n')[1:]:
        parts = line.split()
        if parts:
            state = parts[0]
            states[state] = states.get(state, 0) + 1
    
    return states

def get_syn_packet_rate(interface='eth0', duration=5):
    """Measure incoming SYN packet rate using tcpdump"""
    result = subprocess.run(
        ['timeout', str(duration), 'tcpdump', '-i', interface,
         '-c', '100000', 'tcp[tcpflags] & tcp-syn != 0',
         '-q', '--immediate-mode'],
        capture_output=True, text=True, timeout=duration + 5
    )
    
    # Count captured SYN packets
    lines = result.stdout.strip().split('\n')
    syn_count = len([l for l in lines if l.strip()])
    return syn_count / duration  # packets per second

def monitor_syn_flood(
    syn_received_threshold=500,
    syn_rate_threshold=1000,
    check_interval=10
):
    """Continuous SYN flood monitoring with alerting"""
    while True:
        states = get_tcp_state_counts()
        syn_received = states.get('SYN-RECV', 0)
        established = states.get('ESTAB', 0)
        
        # Alert 1: High number of half-open connections
        if syn_received > syn_received_threshold:
            logger.critical(
                f'SYN FLOOD INDICATOR: {syn_received} half-open connections '
                f'(threshold: {syn_received_threshold}), '
                f'{established} established'
            )
        
        # Alert 2: Abnormal ratio of half-open to established
        if established > 0:
            ratio = syn_received / established
            if ratio > 0.5:  # Normally < 0.01
                logger.warning(
                    f'Abnormal SYN-RECV/ESTAB ratio: {ratio:.2f} '
                    f'({syn_received}/{established})'
                )
        
        time.sleep(check_interval)

if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO)
    monitor_syn_flood()
Mitigation: Nginx as TCP SYN flood absorber
# Nginx as reverse proxy absorbs SYN floods for backend servers.
# The OS handles SYN cookies; Nginx only sees completed connections.

worker_processes auto;
worker_rlimit_nofile 65535;

events {
    worker_connections 65535;
    multi_accept on;
    use epoll;
}

http {
    # Timeouts to quickly reclaim resources from slow/dead connections
    keepalive_timeout       15s;
    client_header_timeout   10s;
    client_body_timeout     10s;
    send_timeout            10s;
    reset_timedout_connection on;

    # Limit concurrent connections per IP
    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;

    # Limit new connection rate per IP
    limit_req_zone $binary_remote_addr zone=req_per_ip:10m rate=20r/s;

    server {
        listen 443 ssl http2 backlog=65535;

        # Max 50 concurrent connections per IP
        limit_conn conn_per_ip 50;

        # Max 20 requests/sec per IP, burst 40
        limit_req zone=req_per_ip burst=40 nodelay;

        location / {
            proxy_pass http://backend;
            proxy_buffering on;

            # Backend only receives fully established, legitimate connections
            proxy_connect_timeout 5s;
            proxy_read_timeout    30s;
            proxy_send_timeout    10s;
        }
    }
}

PowerWAF automatically blocks SYN Flood Attack at the edge.

Deploy in minutes. No code changes required. Free plan available.

Start FreeSee Documentation

Free plan spots are limited

Frequently Asked Questions

SYN cookies eliminate the resource exhaustion vulnerability entirely. Instead of storing connection state in a TCB when receiving a SYN, the server encodes the essential information (MSS, timestamp, peer address) into the initial sequence number of the SYN-ACK packet using a cryptographic hash. No state is stored. When the legitimate client returns with ACK, the server reconstructs the connection parameters from the sequence number, validates them, and only then allocates a TCB. The tradeoff is that some TCP options (window scaling, selective ACKs) may be lost, but this is far preferable to being offline. On Linux, SYN cookies activate automatically when the backlog queue fills (net.ipv4.tcp_syncookies=1).
Surprisingly little. A SYN packet is typically 40-60 bytes (TCP/IP headers with no payload). To fill a backlog queue of 1,024 entries with a 75-second timeout, the attacker needs approximately 14 packets per second β€” under 1 Kbps. Even a 100 Mbps SYN flood generates roughly 2 million packets per second, enough to overwhelm almost any unprotected server. This asymmetry is what makes SYN floods so dangerous: the attacker's bandwidth cost is a tiny fraction of the damage inflicted.
It depends on the load balancer's architecture. Layer 4 load balancers that maintain connection state tables can be overwhelmed by SYN floods themselves, becoming the bottleneck. Layer 7 load balancers (reverse proxies) that fully terminate TCP connections are better positioned β€” they absorb the flood and only forward completed connections to backends. However, the load balancer itself must be hardened (SYN cookies, large backlog queues, sufficient memory) to withstand the flood. Cloud-based load balancers (AWS ALB/NLB, GCP Load Balancer) are generally more resilient because they have massive distributed capacity.
Each individual SYN packet in a flood is indistinguishable from a legitimate connection request β€” it's a valid TCP packet with a valid header structure. Stateful firewalls that track connections face the same backlog exhaustion problem as servers. Stateless packet filters can rate-limit SYN packets, but setting the threshold correctly is difficult: too aggressive blocks legitimate users during traffic spikes; too permissive lets the flood through. The most effective firewall-level mitigation is SYN proxy mode, where the firewall completes the handshake on behalf of the server and only forwards fully established connections.
A SYN flood exploits the handshake initiation, exhausting connection state resources with half-open connections. An ACK flood sends large volumes of ACK packets to a server that has no corresponding half-open connections for them β€” the server must look up each ACK against its connection table, consuming CPU. SYN floods are more effective at denying service because they fill a finite resource (backlog queue), while ACK floods primarily waste CPU cycles and are easier to filter because unexpected ACKs can be dropped without risk.