TCP is one of the transport layer protocols in Internet, and is the base for many network applications. The TCP SYN package flood attack is a denial service attack, which is usually seen in networks. Implementing this attack is simple, but it can be destructive. Resource of an attacked server can be used up; in worst case the operating system can be crashed, so all legitimate connection requests cannot be responded.
The TCP SYN package flood attack is happened during the TCP connection establishment of three-way handshake. Suppose a client sends a TCP SYN connection request package to a server for requesting a TCP connection, and then the client is died or offline suddenly. In this case, the server cannot obtain a TCP SYN acknowledgment package of a TCP SYN response package from the client after the server send the TCP SYN response package to the client, i.e., the three-way handshake cannot be completed. In general, the server will retransmit a new TCP SYN response package again. After waiting for a period of time, if the TCP SYN acknowledgment package of the new TCP SYN response package cannot be received, the server will discard the connection.
In a normal situation, these are only some rare accidents. Nevertheless, if an attacker intentionally and maliciously simulates the situation, then the server must spend a lot of resource to deal with these half-open TCP connections. Finally, stacks of the server will be overflow and the server will be crashed. When the server is dealing with TCP SYN package attacks, it cannot responses normal requests. From client point of view, response of the server is lost. To prevent the TCP SYN package flood attack, servers itself can take some manners, but they are limited and only effective to a specific system. In practice, most of the networks take firewall to prevent the TCP SYN package flood attack.
At present to prevent a TCP SYN package flood attack, the firewall monitors the TCP connection. Principle of the method is shown in FIG. 1, and the working procedure is as followings:                1. When the firewall has received a TCP SYN connection request package from a client, the firewall transmits the TCP SYN connection request package to a server;        2. The server responds the firewall with a TCP SYN response package, and the firewall transmits the TCP SYN response package to the client;        3. The firewall sends a TCP SYN acknowledgement package to the server for the TCP SYN response package;        4. According to whether the connection request is legal, two possibilities happen:                    (a) if the TCP SYN connection request package from the client is legal, then the firewall transmits a TCP SYN acknowledgement package from the client to the server, but the server will ignore the TCP SYN acknowledgement package since the connection has been established;            (b) if the TCP SYN connection request package from the client is illegal or the TCP SYN acknowledgement package from the client is out of time, then the firewall sends a Reset package to the server and the server disconnects the connection.                        
The above method can prevent the TCP SYN package flood attack in a certain degree, but there is an obvious drawback. That is whether a TCP SYN connection request package is legal or not, the TCP SYN connection request package is forwarded to the server directly. After an illegal TCP SYN connection request package is judged, the connection is discarded. Even though, a server is affected by a TCP SYN package flood attack and the server resource is wasted.