SYN

What is SYN?

In TCP, SYN refers to the packet sent from a client to a server to initiate a connection. Establishing a TCP connection follows these steps:

1. The client first sends a SYN packet to the server.
2. The server responds with a SYN/ACK packet, acknowledging the request. At this point, the server reserves resources in a connection table to hold connection details, establishing a half-open connection state.
3. Upon receiving the SYN/ACK packet, the client responds with an ACK packet.
4. When the server receives the ACK packet, the connection is fully established.

This connection process, involving three packet exchanges, is called a 3-way handshake. It allows the server to confirm that its reply packets have reached the client. However, issues arise if the client spoofs the source IP address, as the server will not receive a response for its SYN/ACK packet. In such cases, the server maintains the half-open state until it times out, unnecessarily consuming resources. Malicious actors exploit this vulnerability in a SYN flood attack, a type of DoS/DDoS attack.

F5’s BIG-IP platform acts as a full proxy and prevents SYN floods by inspecting SYN packets before forwarding them to the server. Additionally, BIG-IP includes a feature called SYN Cookies to protect itself against large volumes of SYN packets. In this method, an MD5-generated number (called a "Cookie") is embedded in the TCP sequence number of the SYN/ACK packet. When the subsequent ACK packet is received, the Cookie is recalculated from its contents. This eliminates the need to store connection details at the time the SYN/ACK packet is sent, preventing memory exhaustion even during a SYN flood attack.