TCP SYN flood attacks are designed to take advantage of the methodology used in establishing a new TCP connection, referred as a TCP three-way handshake. Figure 1-4 illustrates how the TCP connections are established.
Figure 1-4. TCP Connection Establishment
In the example presented in Figure 1-4, the client tries to establish a TCP connection to the web server. First, it sends out a SYN (synchronize) packet to the server to synchronize the sequence numbers. It stipulates its initial sequence number (ISN). To initialize a connection, the client and server must synchronize each other’s sequence numbers. The Acknowledgment (ACK) field is set to 0 because this is the first packet of the three-way handshake and there are no acknowledgements thus far. In the second packet, the server sends an acknowledgment and its own SYN (SYN-ACK) back to the client. The server acknowledges the request from the client, but also sends its own request for synchronization. The server increments the client’s sequence number by one and, in addition, uses it as the acknowledgment number. To conclude the connection, the client sends an acknowledgment (ACK) packet to the web server. The client uses the same methodology the server used by providing an acknowledgment number.
In TCP SYN flood attacks, the attacker generates spoofed packets to appear as valid new connection requests. These packets are received by the server, but the connection never completes. On the other hand, the server tries to reply without successfully completing the connections. After several of these packets are sent to the server, the server may quit responding to new connections until its resources are available to process the additional requests or when the attack stops attacking.