Guilty as SYN: five ways to deal with the enduring misery of SYN flood DDoS

The internet is not a place where trends tend to endure. What got a thousand likes on Instagram last week can easily become a scroll-past this week, and even the most successful social media influencers will eventually have to get a real job.

However, there are some glaring exceptions to the here-today-gone-tomorrow nature of the internet. Unfortunately, instead of things like bacon being shoehorned into every recipe and Will it Blend? hanging on as mainstays in our digital society, it tends to be malicious things like DDoS attack techniques that can somehow stay popular for decades. As the saying goes, viral memes may come and go, but SYN floods are forever. They’ve remained so effective for so long you would be forgiven for thinking there’s nothing that can be done to prevent these abuses of the TCP handshake – though while you would be forgiven, you would also need to be corrected.

A most impolite handshake

As mentioned above, a SYN flood is a distributed denial of service attack that takes advantage of the TCP handshake protocol that connects a browser to a website. Admittedly, the TCP handshake is a bit of a finicky process that involves at least three steps, more if encryption is involved, so it isn’t too surprising that attackers have found ways to cause trouble with it using both DDoS and man-in-the-middle attacks.

In a standard TCP handshake, a user’s browser sends a synchronize (SYN) request to the website server, the server responds with an acknowledgment of the synchronize request (SYN-ACK) and to complete the connection, the browser sends back an acknowledgment of its own (ACK). Every time the server sends a SYN-ACK, it opens a port in order to complete the connection, and because of this, it’s relatively easy for an attacker to exhaust a server using the TCP handshake protocol. All an attacking botnet has to do is send enough SYN requests that the victim server exhausts its ports trying to complete connections, waiting for acknowledgments that will never come.

The more you think about it, the more it seems like there should be a way to stop attackers from fiddling with the TCP handshake, doesn’t it? You’re right.

There are four ways for the administrator of a server to prevent SYN floods, and one way anyone can.

1. Keep your server from allocating memory until the ACK is received

To do this, you’ll want to use SYN cookies that send the SYN-ACK with a sequence number composed of unique identifying information. For a legitimate connection, the browser’s ACK will include that sequence number. Only then will the server open a port or allocate any memory to a connection.

2. Keep your server from going all-in on every attempted connection

Using micro blocks, you can keep your server from allocating a complete connection object in its memory every time a SYN comes in, instead setting it to allocate as little as 16 bytes.

3. Make the browser work for the connection

Set your server to intentionally reply to all first requests from any given browser with an invalid SYN-ACK, forcing the browser to reply with an RST packet indicating that something is wrong. Only a browser trying to make a legitimate connection would reply with such a packet, so the server can then accept current and future connections.

4. Tweak the stack for a temporary solution

If a SYN flood is in the process of occurring, you can set your server to reduce the amount of time it allocates memory while waiting for a connection to be completed, or in even more dire circumstances you can set it to selectively drop some of its incoming connections.

5. Get professional DDoS protection

All of the above options are effective and can help to reduce the effects of a SYN flood distributed denial of service attack, or stop it altogether – so long as the network has enough bandwidth to absorb volumetric attack traffic.

If you don’t want to be bothered with SYN cookies or micro blocks or fretting over how much bandwidth your network has available and how much it will cost if an attack eats that bandwidth, you can just get cloud-based DDoS mitigation capable of stopping any and all DDoS attacks. This very much includes SYN floods, the attack type mitigation services have had decades to practice dealing with.