Before understanding what is SYN attack, we need to know about TCP/IP three-way handshake mechanism. Transmission Control Protocol/Internet Protocol (TCP/IP) session is initiated with a three-way handshake. The two communicating computers exchange a SYN, SYN/ACK and ACK to initiate a session. The initiating computer sends a SYN packet, to which the responding host will issue a SYN/ACK and wait for an ACK reply from the initiator. Click the following link to learn more about TCP/IP three-way handshake mechanism.
The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The third part of the TCP three-way handshake is not executed. Since the host is waiting for large number of replies, the real service requests are not processed, bringing down the service. The source address of these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result it is impossible to find the attacking computer.
SYN cookies provide protection against the SYN flood. A SYN cookie is implemented by using a specific initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. By using stateful firewalls which reset the pending TCP connections after a specific timeout, we can reduce the effect of SYN attack.