+420-602-558-144 I'm under attack Log in Sign Up

What Are SYN Flood, SYN-ACK Flood and ACK Flood Attacks?

Exploring SYN Flood, SYN-ACK Flood, and ACK Flood Attacks

SYN flood, SYN-ACK flood, and ACK flood attacks are types of DDoS (Distributed Denial of Service) attacks that overload a target by flooding it with excessive TCP handshake packets, exploiting different stages of the TCP handshake process: SYN, SYN-ACK, and ACK, respectively.

SYN flood, SYN-ACK flood, and ACK flood attacks aim at stateful network equipment, such as firewalls and servers, trying to overwhelm the target's ability to handle TCP connection requests and make it unreachable to legitimate users. As these attacks focus on devices that operate on the transport layer of the OSI model, they are classified as transport layer (L4) DDoS attacks.

Some large-scale SYN flood attacks can generate enough traffic to clog the communication channel. These attacks can additionally overwhelm stateless network devices, such as routers and switches, that work on the lower layers of the OSI model. In this case, the attack is considered a combined L3/L4 DDoS attack.

How TCP Handshake Works

Transmission Control Protocol (TCP) is one of the main protocols on which the internet is built. TCP is used to transmit data between devices connected to an IP network, ensuring that the data is delivered without errors.

Unlike UDP, TCP requires establishing a connection before data is transmitted. For this reason, when a client wants to send or receive anything to or from a server using the TCP protocol, it first needs to initiate a connection using the so-called TCP handshake.

This procedure consists of three stages:

  1. SYN: When the client wants to start a connection to the server, it sends a message called a "SYN" (synchronize) to the server. Think of it as saying, "Hello, I'd like to talk."
  2. SYN-ACK: The server receives the SYN message and responds with a "SYN-ACK" (synchronize-acknowledge). This is like the server saying, "Hello, I hear you. Let's talk."
  3. ACK: The client receives the SYN-ACK message and replies with an "ACK" (acknowledge). This is like the client saying, "Great, let's start our conversation."

Once this three-step handshake is complete, the client and server can start exchanging data using the established TCP connection.

Common Types of Attack Exploiting SYN, SYN-ACK and ACK Requests

Unfortunately, every stage of the TCP three-way handshake can be abused by organizers of DDoS attacks, and not in just a single way. Let's get into some details on how it works.

How SYN Flood DDoS Attacks Work

The most basic way attackers can exploit the TCP connection handshake is by bombarding the target with a massive number of SYN requests coming from different IP addresses — for example, using a huge botnet consisting of infected devices.

The target responds to these SYN packets with a SYN-ACK (synchronize-acknowledge), waiting for a final ACK (acknowledge) from the clients to complete the handshakes. However, the attacker never sends the ACK, leaving the server with a massive number of half-open connections.

A slightly different method, often used in real attacks, is to send spoofed SYN requests with fake IP addresses in the sender's field. This way, the attacker can indefinitely cycle through random IP addresses, while the targeted server sends its SYN-ACK packets effectively to nowhere, keeping the connection half-open.

In any case, the ultimate goal of a SYN flood attack is to use up the maximum resources of the attacked server or firewall with half-open connections. Once this succeeds, the target loses the ability to establish new connections, effectively becoming unavailable to legitimate users.

How SYN-ACK Flood DDoS Attacks Work

Another way for an attacker to exploit the TCP connection handshake is to send a massive number of spoofed SYN-ACK packets with random IP addresses in the sender field. Upon receiving these SYN-ACK packets, the targeted server or firewall has to determine whether these packets are legitimate responses to ACK requests it sent earlier or if they are garbage packets.

Using this trick, a SYN-ACK flood attack consumes the resources of the targeted server or firewall. The victim device gets overwhelmed as it tries to process and validate each incoming SYN-ACK packet. As a result, the target becomes unavailable to legitimate traffic, causing a denial of service.

How ACK Flood DDoS Attacks Work

Similarly, the ACK flood attack involves sending a huge number of spoofed ACK packets. When the target receives these ACK packets, it has to determine whether they are legitimate acknowledgments of SYN-ACK requests it sent earlier or if this traffic is garbage.

The goal of an ACK flood attack is also to consume the resources of the targeted server or firewall until it eventually becomes overwhelmed as it tries to process the incoming ACK requests. As a result, the target becomes unavailable.

How SYN-ACK Amplification/Reflection DDoS Attacks Work

Amplification/reflection DDoS attacks usually exploit UDP (User Datagram Protocol), benefiting from the fact that it is a connectionless protocol. However, TCP is not immune to reflection attacks either.

Attackers slightly modify the SYN flood attack scenario. While spoofing the SYN requests, they use the victim's IP address in the sender's field. And then attackers broadcast these spoofed packets to a massive number of random legitimate servers all over the internet.

Upon receiving the SYN request, these legitimate servers duly reply with SYN-ACK packets to the victim's IP address. Attackers also benefit from the misconfiguration of the servers: most servers send the SYN-ACK packet not just once, but several times, and some servers make hundreds or even thousands of responses.

As a result of the SYN-ACK amplification attack, the victim receives a massive amount of reflected SYN-ACK requests. From this point, it works exactly like a regular SYN-ACK flood we described earlier: trying to determine what these requests are supposed to mean, the target is overwhelmed by this traffic and eventually becomes unreachable.

Impact on Business

DDoS attacks that abuse the TCP connection handshake procedure, such as SYN flood attacks, can be highly disruptive. A successful attack can cause severe downtime by overwhelming servers and network infrastructure, making online services unavailable to legitimate users.

This can result in significant financial losses, especially for organizations that rely heavily on online transactions and services, such as e-commerce businesses, financial institutions, online gaming companies, and more.

The aftermath of the attack causes a diversion of resources that could otherwise be used for business development and growth. Additionally, frequent or prolonged DDoS attacks can result in regulatory fines and legal liabilities. A successful attack also has a range of long-lasting consequences, such as reputation damage and a decrease in customer trust.

How to Protect from L3/L4 DDoS Attacks

One of the simplest ways to mitigate a DDoS attack is blackholing. It redirects traffic from certain IP ranges to a null route, effectively removing it from the targeted network. However, this technique can only be used as a last resort, as it also drops legitimate traffic from the same IP range.

SYN flood protection often involves rate limiting, which controls the amount of traffic reaching the target system, preventing overwhelming volumes of malicious traffic. However, since limits are set per IP address, this method is ineffective against attacks using a large number of different addresses and can also block legitimate traffic if the limits are set too low.

SYN flood attack prevention also includes traffic filtering, which identifies and blocks malicious traffic while allowing legitimate traffic to pass through. This task is complex, and its success depends on the scale of the DDoS attack that the filtering solution can handle.

Scrubbing centers offer a scalable solution by diverting incoming traffic to specialized facilities for analysis and filtering. Malicious traffic is removed, and clean traffic is forwarded to the target system. These centers use advanced technologies and algorithms, and they have enough redundancy to handle large-scale attacks effectively.

Qrator.AntiDDoS provides comprehensive, always-on protection against both L3/L4 and L7 DDoS attacks through its global network of 15 scrubbing centers. Connected to Tier 1 or leading regional providers, our filtering centers offer BGP Anycast routing for efficient traffic distribution, ensuring real-time monitoring and filtering. Our distributed cloud infrastructure effectively mitigates attacks of any scale, while the pay-as-you-go model minimizes costs for customers.

Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.
Cookies Preference Center
Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.