TCP SYN Flooding Attacks and Common Mitigations

This RFC 4987 was published in 2007.


This document describes TCP SYN flooding attacks, which have been well-known to the community for several years.
Various countermeasures against these attacks, and the trade-offs of each, are described.
This document archives explanations of the attack and common defense techniques for the benefit of TCP implementers and administrators of TCP servers or networks, but does not make any standards-level recommendations.

RFC 4987 introduction

The SYN flooding attack is a denial-of-service method affecting hosts that run TCP server processes.
The attack takes advantage of the state retention TCP performs for some time after receiving a SYN segment to a port that has been put into the LISTEN state.
The basic idea is to exploit this behavior by causing a host to retain enough state for bogus half-connections that there are no resources left to establish new legitimate connections.

Download links

Click here to download RFC 4987: TXT format PDF format (coming soon)

Related Request for Comments

Popular RFCs

©2015 - all rights reserved.