What is a SYN flood attack?

A SYN flood attack (half-open attack) is a DDoS attack that aims to render a server or online service unavailable to legitimate users by overwhelming the server's resources. This is achieved by repeatedly sending a large number of initial connection request (SYN) packets to the targeted server. As a result, all available ports on the server become occupied, causing the server to respond slowly or not at all to legitimate traffic.

How does a SYN flood attack work?

To understand how a SYN flood attack works, it is essential to grasp the basic TCP handshake process. In a normal TCP connection, three distinct processes occur:

1. The client sends a SYN packet to the server to initiate the connection.
2. The server responds with a SYN/ACK packet to acknowledge the communication.
3. The client sends an ACK packet back to the server to confirm the receipt and complete the handshake.

However, in a SYN flood attack, the attacker exploits the fact that the server responds to each SYN packet by leaving an open port ready to receive the response. The attacker floods the targeted server with a high volume of SYN packets, often using spoofed IP addresses. 

As the server waits for the final ACK packet, which never arrives, the attacker continues to send more SYN packets, temporarily occupying new open ports. Eventually, all available ports are utilized, preventing the server from functioning normally.

Related: What is spoofing?

Different types of SYN attacks

SYN flood attacks can occur in various ways, each with its characteristics and implications. The three main types of SYN attacks are:

Direct attack

In a direct attack, the attacker does not mask their IP address. They use a single source device with a real IP address to create the attack. This makes the attacker vulnerable to discovery and mitigation.

Spoofed attack

In a spoofed attack, the attacker intentionally spoofs the IP address on each SYN packet they send. This inhibits mitigation efforts and makes tracing the attack back to its source challenging. 

Distributed attack (DDoS)

A distributed attack involves using a botnet, a network of compromised devices controlled by the attacker. In this type of attack, each distributed device may also spoof the IP addresses from which it sends packets.

Go deeper: 

• What is a DDoS attack? 
• What is a botnet? 

Mitigation techniques for SYN floods

Since SYN flood attacks have been a known vulnerability for a long time, several mitigation techniques have been developed:

Increasing backlog queue

One method to mitigate SYN flood attacks is to increase the maximum number of half-open connections allowed by the operating system on the targeted device. By raising the maximum backlog, the system can handle more SYN packets.

Recycling the oldest half-open TCP connection

Another mitigation strategy involves overwriting the oldest half-open connection once the backlog has been filled. This approach assumes that legitimate connections can be established faster than the backlog can be filled with malicious SYN packets. 

SYN cookies

SYN cookies offer an alternative mitigation technique. When a server receives a SYN request, it creates a cookie to track the connection. Instead of dropping the SYN request from the backlog, the server responds with a SYN-ACK packet but removes the request from memory, leaving the port open. If the client machine sends a final ACK packet to complete the connection, the server reconstructs the SYN backlog queue entry. 

See also: HIPAA Compliant Email: The Definitive Guide

In the news

In a recent cyber incident, Akamai defended against a massive DDoS attack directed at a major US bank, peaking at 55.1 million packets per second. On September 5, the attack, though brief, reached 633.7 gigabits per second, employing various flood attack techniques like ACK, PUSH, RESET, and SYN floods. Despite the onslaught directed at the bank's web infrastructure, no services were disrupted or damaged. This event indicates a concerning trend as DDoS attacks targeting financial institutions have notably increased, with Akamai reporting over 30% of recent attacks pointed at such entities. This surge in attacks, facilitated by easier access to DDoS-for-hire services, poses challenges to cybersecurity in the financial sector.

FAQs

What is a SYN flood attack and how does it relate to healthcare security?

A SYN flood attack is a type of DDoS attack that overwhelms a server with a flood of SYN (synchronization) requests, causing it to become unresponsive to legitimate traffic. In healthcare, SYN flood attacks can disrupt critical services, impacting patient care and access to medical information.

Why are SYN flood attacks a concern for HIPAA compliance in healthcare settings? 

SYN flood attacks are a concern because they can lead to service disruptions that affect the availability of systems storing or transmitting protected health information (PHI). Prolonged downtime can hinder healthcare operations, delay patient care, and potentially result in HIPAA violations if access to PHI is compromised.

What are the potential risks associated with SYN flood attacks under HIPAA? 

Potential risks of SYN flood attacks include:

• Service disruption: Interruptions in healthcare services, affecting patient care and access to medical records.
• Operational impact: Reduced ability to perform main functions such as patient registration, billing, and clinical operations.
• Data accessibility: Delayed access to PHI, impacting medical decision-making and treatment.
• Financial losses: Costs associated with mitigating the attack, restoring services, and potential fines for non-compliance.
  
  

How can healthcare facilities prevent and mitigate SYN flood attacks to maintain HIPAA compliance? 

Healthcare facilities can prevent and mitigate SYN flood attacks by implementing cybersecurity measures, including:

• Network security measures: Using firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block malicious traffic.
• Traffic filtering: Implementing rate limiting and traffic filtering to manage the volume of incoming SYN requests.
• Load balancing: Distributing traffic across multiple servers to prevent a single point of failure.
• DDoS protection services: Employing DDoS protection services that can absorb and mitigate attack traffic.
• Regular monitoring: Continuously monitoring network traffic for signs of DDoS attacks and unusual activity.

See also: HIPAA Compliant Email: The Definitive Guide