SYN Flood

Every client-server conversation begins with a standardized three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established. In a SYN flood attack, the client sends massive numbers of SYN requests, and never responds to the SYN-ACK messages from the server.

This leaves the server with open connections awaiting further communication from the client. Each of these half-open connections is tracked in the TCP connection table, eventually filling the table up and blocking any more connection attempts, legitimate or otherwise.

To mitigate a SYN flood attack, the F5 BIG-IP system uses a technique called a SYN cookie approach, which is implemented in specialized F5 hardware (the Packet Velocity Accelerator or PVA). This technique uses a setting called the SYN Check Activation Threshold to indicate the maximum number of allowed connections in the SYN queue. If this limit is reached, the system assumes a defensive posture against a potential SYN flood attack.

The BIG-IP system does this by discarding the original SYN entries in the queue. It can discard this data because the last part of the three-part handshake contains an encoded reference to the original SYN request. So if the SYN request turns out to be valid and not part of the SYN flood attack, the BIG-IP system reconstructs the original SYN request from the data in the TCP connection, and allows the connection access to the protected network.

The attacker's SYN requests get responses, so they think the attack is working, but the connection table never reaches capacity because only valid connection requests earn slots in the connection table.