Lunarpages Web Hosting Forum

Author Topic: A not too brief explanation of SYN floods.  (Read 6446 times)

Offline wd

  • Newbie
  • *
  • Posts: 4
A not too brief explanation of SYN floods.
« on: April 27, 2004, 07:40:34 PM »
I thought it would be helpful for people who are unfamiliar with the way SYN floods work to have a brief explanation to read.  I'll try and keep it nontechnical.

Basically, when a computer wants to connect to another computer on the internet it sends a message (called a packet) to that other computer asking to speak to it.  You might think of this as something like a phonecall.  Usually computers can handle many concurrent connections, ranging into the tens of thousands, allowing one computer (a server) to respond to many other computers (clients).

Now, more specifically when a computer tries to make a connection it sends what is called a SYN packet.  Why it's called SYN isn't a big deal, so just pretend like it doesn't matter (because it doesn't).  This SYN packet contains a few elements: the address of the computer asking to make the connection, the address of the computer receiving the connection, and a port number (like an apartment number or an extension) on that second computer.  The computer receiving the connection checks to see that the address matches its own, and that it has something attached to the port number in question, and then sends a response back to that first computer saying that the connection is agreeable.

So when somebody initiates a SYN flood what they are doing is sending a plethora of connection requests at an extremely fast pace.  This is a lot like what happens when tickets for a popular event go on sale and the ticket office's phone lines are snowed under by calls.  The computer receiving the requests becomes unable to keep up with them, and is unable to reply in time (think of this as a busy signal).

To add to this, while phones have caller ID, and it is typically simple to figure out where a phonecall originates this is not always the case on the internet.  Many providers allow their users to spoof (fake) the addresses that are attached to the messages they send.  This means that a malicious user can send out messages with a false return address, making the source of the messages extremely difficult to trace.  What's more: you can't tell the computer receiving the connection to stop accepting connections from one sender because the sender is creating new fake addresses every time they send a message.

Bottom line, SYN floods are a very damaging form of abuse and extremely difficult to stop.  If they can be tracked down it often takes hours or even days.  We here at Lunarpages will always work diligently to stop these attacks before they cause problems for our custoemrs whenever that is possible, and when it is not to find the source of attacks and ensure that they are prosecuted to the full extent of the law.