A type of denial of service (DoS) attack using SYN packets.
Transmission Control Protocol (TCP) SYN packets are used to initiate connections between two hosts and are sent by the initiating host to the target as the first step of a TCP three-way handshake. In a SYN flood, an attacker sends TCP SYN packets to listening ports on a target host. These SYN packets are spoofed so that they have source addresses that do not correspond to actual systems. When the target receives a spoofed SYN packet, it responds with a SYN/ACK packet directed toward the address from which the SYN packet originated and waits for an ACK packet in reply to complete the connection. Since, however, the source address is spoofed, the ACK packet never comes and the targeted port simply waits until the connection attempt times out. If a listening port receives multiple SYN packets, the port responds with SYN/ACK to as many of them as it can buffer within the memory resources allocated to it by the operating system.
The number of TCP connection attempts a host can buffer varies with different platforms, but is usually no more than several hundred. By sending a flood of such SYN packets to listening ports on the target host, the connection buffers can become full and the target will be unable to respond to additional connection attempts until time outs expire and buffers have room for more attempts. Some operating systems even might hang or crash when connection buffers become full and then need to be rebooted. The result in either case is that connection attempts from legitimate users cannot be accepted and users experience denial of the service they are trying to connect to on the server.