ZyXEL Communications NXC5200 User Manual page 352

Chapter 22 ADP
TCP SYN Flood Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server.
The receiver returns an ACK (acknowledgment) packet and its own SYN, and then
the initiator responds with an ACK (acknowledgment). After this handshake, a
connection is established.
Figure 156 TCP Three-Way Handshake
A SYN flood attack is when an attacker sends a series of SYN packets. Each packet
causes the receiver to reply with a SYN-ACK response. The receiver then waits for
the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses
on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes
back or when an internal timer ends the three-way handshake. Once the queue is
full, the system will ignore all incoming SYN requests, making the system
unavailable for other users.
Figure 157 SYN Flood
352
NXC5200 User's Guide