A traditional TCP 3 way handshake for establishing connections is shown in Figure 1, where state is allocated on the server side upon receipt of the SYN to hold information associated with the incomplete connection. The goal of a SYN flood is to tie up resources on the server machine, so that it is unable to respond to legitimate connections. This is accomplished by having the client discard the returning SYN,ACK from the server and not send the final ACK. This results in the server retaining the partial state that was allocated from the initial SYN.
The attacker does not necessarily have to be on a fast machine or network to accomplish this. Standard TCP will not time out connections until a certain number of retransmits have been made, which usually is a total of 511 seconds[7]. Assuming a machine permits a maximum of 1024 incomplete connections per socket, this means an attacker has only to send 2 connection attempts per second to exhaust all allocated resources. In practice, this does not form a DoS attack, as existing incomplete connections are dropped when a new SYN request is received. The time required for the server to send a SYN,ACK and have the client reply is known as the round trip time (RTT); if an ACK arrives at the server but does not find a corresponding incomplete connection state, the server will not establish a connection. By forcing the server to drop incomplete connection state at a rate larger than the RTT, an attacker is able to insure that no connections are able to complete.
Each connection is dropped with probability, and if the goal is to recycle every connection before the average RTT, an attacker would need to flood the machine at a rate of packets per second. For a listen queue size of 1024, and a 100 millisecond RTT, this results in about 10,000 packets per second. A minimal size TCP packet is 64 bytes, so the total bandwidth used is only 4Mb/second, within the realm of practicality.
As the sender may forge their source IP address, a defense that relies on filtering packets based on the source IP will not be effective in all cases. Using a random source IP address will also cause more resources to be tied up on the server if a per-IP route structure is allocated.
Often it is not possible to distinguish attacks from real connection attempts, other than by observing the volume of SYNs that are arriving at the server, so the machine needs to be able to handle them in some fashion.
In order to defend against this type of attack, the amount of the amount of state that is allocated should be reduced, or even eliminated completely by delaying allocation until the connection is completed. Two known approaches to do this are known as SYN cache and SYN cookies. The caching approach is similar to the existing behavior, but allocates a much smaller state structure to record the initial connection request, while the cookie approach attempts to encode the state in a small quantity which is returned by the client when the TCP handshake is completed.