Servers that provide Transmission Control Protocol (TCP) services are often susceptible to various types of Denial of Service (DoS) attacks from external hosts on the network. In one particular type of attack, known as a “synchronization (SYN) flood,” external hosts attempt to overwhelm the server by sending a constant stream of TCP connection requests to the server, which forces the server to allocate resources for each new connection until all of the server's resources are exhausted.
Firewalls are often used to protect servers from being susceptible to a SYN flood attack. One technique that firewalls use to protect servers is called a “SYN cookie.” For each incoming synchronization (SYN) message, the firewall replies with a SYN+ACK message with a particular signature in an Initial Sequence Number (ISN) (called a SYN cookie). The firewall will permit a TCP connection request to proceed to the server only if the ACK message that the firewall receives from the client contains the correct signature. Therefore, if the initial SYN message is part of an attack from a spoofed Internet Protocol (IP) address, it is unlikely that the ACK message from the client will contain the correct signature. As a result, the firewall will not permit the TCP connection to reach the server, thereby shielding the server from the attacker.