Each device in the botnet may also spoof its IP address, adding to the level of obfuscation. The sources are real, but the distributed nature of the attack makes it difficult to mitigate. A distributed DoS ( DDoS) attack uses a botnet that spreads the source of malicious packets over many machines. With this approach, it's easier to trace where the attack is coming from and shut it down. Instead, the attacker uses one source device with a real IP address to perform the attack. This type of SYN attack does not use spoofed IP addresses. Spoofing makes it hard to trace the packets and mitigate the attack. In a spoofed attack, the malicious client spoofs the IP address on each SYN packet sent to the server, making it look like the packets are coming from a trusted server. The three ways that a SYN flood attack can occur are the following: This makes the connection impossible to complete and overloads the target machine. A SYN flood exploits the way a TCP handshake works, leaving it half-open. The server becomes so busy with the hostile client requests that communication with legitimate traffic is difficult or impossible. However, because the attacker uses fake IP addresses, the server is unable to close the connection by sending RST packets to the client.Īs a result, the connection stays open, and before a timeout can occur, another SYN packet arrives from the hostile client. The hostile client's SYN requests appear valid to the server. A hostile client knows a port is open when the server responds with a SYN-ACK packet. Instead, the client program sends repeated SYN requests to all the server's ports. However, in a SYN flood, the hostile client does not return an ACK response packet. Once those three steps happen, communication can begin between the client and the server. The client returns a final ACK packet to confirm that the server's SYN-ACK packet was received.The server responds, sending a SYN-ACK packet.The client sends a SYN packet to initiate communication with the server.SYN flood explained: How it exploits the three-way handshakeĪ three-way handshake involves the following three steps: