What is a SYN flood, and what are common mitigations such as SYN cookies?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Enhance your networking knowledge! Tackle our Transport Layer Protocols and Functions Test featuring flashcards and multiple-choice questions with insightful hints and explanations. Elevate your exam readiness now!

Multiple Choice

What is a SYN flood, and what are common mitigations such as SYN cookies?

Explanation:
A SYN flood is an attack at the transport layer that exploits the TCP three-way handshake. An attacker sends many initial SYN packets to a server, each of which would start a new connection. The server replies with SYN-ACK and waits for the final ACK, keeping that half-open connection in memory and a timer running. If the flood is large, the server’s backlog of half-open connections fills up, exhausting resources and preventing legitimate clients from establishing new connections. Mitigations focus on avoiding or reducing the resource drain from those half-open states. SYN cookies let the server avoid allocating per-connection resources until the handshake is completed: the server encodes enough information in the initial sequence number so it can validate the final ACK and complete the connection only if the handshake was legitimate. Backlog limitations help cap how many half-open connections the server will track, though setting the backlog too low can reject legitimate connections during bursts. Anomaly detection and rate limiting help identify and throttle suspicious SYN activity, while SYN proxies or firewalls can offload or terminate half-open connections before they reach the target server. Other floods distort different layers: HTTP floods overwhelm the application layer, and DNS floods target the DNS service. An attack that floods TCP ACKs would differ in mechanism and impact from a SYN flood, which specifically centers on the initiation phase of connections.

A SYN flood is an attack at the transport layer that exploits the TCP three-way handshake. An attacker sends many initial SYN packets to a server, each of which would start a new connection. The server replies with SYN-ACK and waits for the final ACK, keeping that half-open connection in memory and a timer running. If the flood is large, the server’s backlog of half-open connections fills up, exhausting resources and preventing legitimate clients from establishing new connections.

Mitigations focus on avoiding or reducing the resource drain from those half-open states. SYN cookies let the server avoid allocating per-connection resources until the handshake is completed: the server encodes enough information in the initial sequence number so it can validate the final ACK and complete the connection only if the handshake was legitimate. Backlog limitations help cap how many half-open connections the server will track, though setting the backlog too low can reject legitimate connections during bursts. Anomaly detection and rate limiting help identify and throttle suspicious SYN activity, while SYN proxies or firewalls can offload or terminate half-open connections before they reach the target server.

Other floods distort different layers: HTTP floods overwhelm the application layer, and DNS floods target the DNS service. An attack that floods TCP ACKs would differ in mechanism and impact from a SYN flood, which specifically centers on the initiation phase of connections.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy