A SYN flood is one of the most classic and effective types of Denial of Service (DoS) attacks, specifically targeting the TCP handshake process. Let’s break it down:

🌊 What Is a SYN Flood Attack?

A SYN flood is a type of network-level DoS attack where an attacker sends a barrage of TCP SYN packets to a target server, but never completes the handshake. This causes the server to allocate resources for each half-open connection, eventually exhausting its capacity and making it unable to serve legitimate users.

🔄 How TCP Handshake Works (Normally)

TCP connections begin with a three-way handshake:

1. SYN: Client sends a SYN (synchronize) packet to the server.
2. SYN-ACK: Server responds with a SYN-ACK (synchronize-acknowledge).
3. ACK: Client replies with an ACK, and the connection is established.

💥 How SYN Flood Disrupts It

In a SYN flood:

• The attacker sends many SYN packets with spoofed IP addresses.
• The server replies with SYN-ACKs and waits for the final ACK.
• Since the ACK never comes, the server keeps these connections in a half-open state.
• Eventually, the server’s connection queue fills up, and it can’t accept new connections.

🧠 Why It’s Effective

• Low effort, high impact: Just sending SYN packets can cripple a server.
• Hard to trace: Spoofed IPs make it difficult to identify the attacker.
• Resource exhaustion: Servers allocate memory and CPU for each pending connection.

🛡️ How to Defend Against SYN Floods

🧪 Real-World Example

SYN floods have been used in attacks against major websites, banks, and even government infrastructure. They’re often part of larger DDoS campaigns and can be launched using botnets or automated tools like LOIC (Low Orbit Ion Cannon).