A SYN flood attack (half-open attack) is a DDoS attack that aims to render a server or online service unavailable to legitimate users by overwhelming the server's resources. This is achieved by repeatedly sending a large number of initial connection request (SYN) packets to the targeted server. As a result, all available ports on the server become occupied, causing the server to respond slowly or not at all to legitimate traffic.
To understand how a SYN flood attack works, it is essential to grasp the basic TCP handshake process. In a normal TCP connection, three distinct processes occur:
However, in a SYN flood attack, the attacker exploits the fact that the server responds to each SYN packet by leaving an open port ready to receive the response. The attacker floods the targeted server with a high volume of SYN packets, often using spoofed IP addresses.
As the server waits for the final ACK packet, which never arrives, the attacker continues to send more SYN packets, temporarily occupying new open ports. Eventually, all available ports are utilized, preventing the server from functioning normally.
Related: What is spoofing?
SYN flood attacks can occur in various ways, each with its characteristics and implications. The three main types of SYN attacks are:
In a direct attack, the attacker does not mask their IP address. They use a single source device with a real IP address to create the attack. This makes the attacker vulnerable to discovery and mitigation.
In a spoofed attack, the attacker intentionally spoofs the IP address on each SYN packet they send. This inhibits mitigation efforts and makes tracing the attack back to its source challenging.
A distributed attack involves using a botnet, a network of compromised devices controlled by the attacker. In this type of attack, each distributed device may also spoof the IP addresses from which it sends packets.
Go deeper:
Since SYN flood attacks have been a known vulnerability for a long time, several mitigation techniques have been developed:
One method to mitigate SYN flood attacks is to increase the maximum number of half-open connections allowed by the operating system on the targeted device. By raising the maximum backlog, the system can handle more SYN packets.
Another mitigation strategy involves overwriting the oldest half-open connection once the backlog has been filled. This approach assumes that legitimate connections can be established faster than the backlog can be filled with malicious SYN packets.
SYN cookies offer an alternative mitigation technique. When a server receives a SYN request, it creates a cookie to track the connection. Instead of dropping the SYN request from the backlog, the server responds with a SYN-ACK packet but removes the request from memory, leaving the port open. If the client machine sends a final ACK packet to complete the connection, the server reconstructs the SYN backlog queue entry.
See also: HIPAA Compliant Email: The Definitive Guide
In a recent cyber incident, Akamai defended against a massive DDoS attack directed at a major US bank, peaking at 55.1 million packets per second. On September 5, the attack, though brief, reached 633.7 gigabits per second, employing various flood attack techniques like ACK, PUSH, RESET, and SYN floods. Despite the onslaught directed at the bank's web infrastructure, no services were disrupted or damaged. This event indicates a concerning trend as DDoS attacks targeting financial institutions have notably increased, with Akamai reporting over 30% of recent attacks pointed at such entities. This surge in attacks, facilitated by easier access to DDoS-for-hire services, poses challenges to cybersecurity in the financial sector.
A SYN flood attack is a type of DDoS attack that overwhelms a server with a flood of SYN (synchronization) requests, causing it to become unresponsive to legitimate traffic. In healthcare, SYN flood attacks can disrupt critical services, impacting patient care and access to medical information.
SYN flood attacks are a concern because they can lead to service disruptions that affect the availability of systems storing or transmitting protected health information (PHI). Prolonged downtime can hinder healthcare operations, delay patient care, and potentially result in HIPAA violations if access to PHI is compromised.
Potential risks of SYN flood attacks include:
Healthcare facilities can prevent and mitigate SYN flood attacks by implementing cybersecurity measures, including:
See also: HIPAA Compliant Email: The Definitive Guide