Question
- What is a SYN flood?
- Is F5 Silverline able to defend my web site from SYN floods?
Environment
- Silverline DDoS
- Routed or Proxy DDoS protection
Answer
- A SYN flood is a type of attack designed to exhaust all resources used to establish TCP connections
- A SYN flood occurs when a client application intentionally fails to complete the initial handshake with the a server, leaving the SYN queue to fill up with TCP half-open connections. As a result, the system no longer has the resources to process legitimate application traffic.
- It does not take a very large botnet to launch a devastating attack on a server
- This is why it is one of the most commonly observed DDoS attacks.
- F5 Silverline proxies have SYN flood protection built-in. Our proxies do not send an SYN packet to your server until a 3-way handshake has been completed with the client
- For routed customers, we respond to attacks quickly and will enable countermeasures that stop and SYN floods from continuing to reach the customer's network
Traffic Sample
1 0.000000 39.XX.195.149 -> XXX.XXX.22.65 TCP 60 51109 > 80 [SYN] Seq=0 Win=8192 Len=0
2 0.000000 53.XX.58.126 -> XXX.XXX.22.65 TCP 60 60956 > 80 [SYN] Seq=0 Win=8192 Len=0
3 0.000009 79.XX.51.45 -> XXX.XXX.22.65 TCP 60 57769 > 80 [SYN] Seq=0 Win=8192 Len=0
4 0.000010 94.XX.171.142 -> XXX.XXX.22.65 TCP 60 5673 > 80 [SYN] Seq=0 Win=8192 Len=0
5 0.000011 4.XX.221.31 -> XXX.XXX.22.65 TCP 60 45364 > 80 [SYN] Seq=0 Win=8192 Len=0
6 0.000014 7.XX.48.199 -> XXX.XXX.22.65 TCP 60 64298 > 80 [SYN] Seq=0 Win=8192 Len=0
7 0.000022 32.XX.23.30 -> XXX.XXX.22.65 TCP 60 41576 > 80 [SYN] Seq=0 Win=8192 Len=0
8 0.000028 3.XX.94.130 -> XXX.XXX.22.65 TCP 60 4155 > 80 [SYN] Seq=0 Win=8192 Len=0
9 0.000033 17.XX.21.251 -> XXX.XXX.22.65 TCP 60 10509 > 80 [SYN] Seq=0 Win=8192 Len=0
10 0.000579 10.4.XX.181 -> XXX.XXX.22.65 TCP 60 24601 > 80 [SYN] Seq=0 Win=8192 Len=0
Related Content