Synchronization (SYN) attacks, sometimes called SYN floods, and HTTP Denial of Service (HTTP DoS) attacks are two similar methods that malicious attackers can use to slow down or disable a remote server by tying up memory and resources to prevent innocent users from accessing said resources.
In the SYN flood or SYN attack, a malicious client or clients send a plurality of SYN requests. As is usual, the appliance or server allocates memory and resources for each request and responds with SYN-ACK messages. The malicious client never responds to these SYN-ACK messages with acknowledgement messages, and the connections are not established. Rather, the server or appliance remains in a listening state waiting for the acknowledgement messages from the client or clients, and the memory and resources stay allocated to these connections, until the server or appliance times out, which may be several minutes.
A similar attack to the SYN flood is the HTTP Denial of Service (DoS) attack. In this attack, a malicious attacker or attackers establish legitimate connections with the appliance or server and send HTTP GET requests for files. In some implementations, the HTTP GET requests are incomplete requests, which tie up the server or appliance connection waiting for the remainder of the request until a timeout value expires. In other implementations, the GET requests are complete requests for very large files, which are immediately discarded on receipt by the attacker, who then issues another GET request. In these implementations, the attacker will frequently spoof or change his IP address, preventing successful packet filtering solutions. The same behavior can occur non-maliciously when a breaking news event leads a large number of users to request the same data simultaneously, overloading the capabilities of the server.
In responding to HTTP DoS attacks and SYN flood attacks, one solution is to create a cookie or cookies that are transmitted to clients as part of responses and SYN-ACK messages. Because malicious attackers will discard or not process responses, if a client transmits a request that includes the cookie, the server or appliance may recognize the client as a legitimate client. These cookies may be generated using a random number generator and timers or counters.