Follow

Q&A: What is a SYN flood?

Question

  • What is a SYN flood?
  • Is F5 Silverline able to defend my web site from SYN floods?  

Environment

  • Silverline DDoS
  • Routed or Proxy DDoS protection  

Answer

  • A SYN flood is a type of attack designed to exhaust all resources used to establish TCP connections
  • A SYN flood occurs when a client application intentionally fails to complete the initial handshake with the a server, leaving the SYN queue to fill up with TCP half-open connections. As a result, the system no longer has the resources to process legitimate application traffic.
  • It does not take a very large botnet to launch a devastating attack on a server
    • This is why it is one of the most commonly observed DDoS attacks.
  • F5 Silverline proxies have SYN flood protection built-in. Our proxies do not send an SYN packet to your server until a 3-way handshake has been completed with the client
  • For routed customers, we respond to attacks quickly and will enable countermeasures that stop and SYN floods from continuing to reach the customer's network

Traffic Sample

 1 0.000000 39.XX.195.149 -> XXX.XXX.22.65 TCP 60 51109 > 80 [SYN] Seq=0 Win=8192 Len=0
2 0.000000 53.XX.58.126 -> XXX.XXX.22.65 TCP 60 60956 > 80 [SYN] Seq=0 Win=8192 Len=0
3 0.000009 79.XX.51.45 -> XXX.XXX.22.65 TCP 60 57769 > 80 [SYN] Seq=0 Win=8192 Len=0
4 0.000010 94.XX.171.142 -> XXX.XXX.22.65 TCP 60 5673 > 80 [SYN] Seq=0 Win=8192 Len=0
5 0.000011 4.XX.221.31 -> XXX.XXX.22.65 TCP 60 45364 > 80 [SYN] Seq=0 Win=8192 Len=0
6 0.000014 7.XX.48.199 -> XXX.XXX.22.65 TCP 60 64298 > 80 [SYN] Seq=0 Win=8192 Len=0
7 0.000022 32.XX.23.30 -> XXX.XXX.22.65 TCP 60 41576 > 80 [SYN] Seq=0 Win=8192 Len=0
8 0.000028 3.XX.94.130 -> XXX.XXX.22.65 TCP 60 4155 > 80 [SYN] Seq=0 Win=8192 Len=0
9 0.000033 17.XX.21.251 -> XXX.XXX.22.65 TCP 60 10509 > 80 [SYN] Seq=0 Win=8192 Len=0
10 0.000579 10.4.XX.181 -> XXX.XXX.22.65 TCP 60 24601 > 80 [SYN] Seq=0 Win=8192 Len=0 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request