SYN cookies prevent SYN flooding, a type of DoS attack that overwhelms a server’s queue with unanswered requests. SYN cookies allow the server to act as if it has a larger queue than it does, bypassing the attack. The cookies do not pose a security threat and do not cause connectivity problems.
SYN cookies are a way for server administrators to prevent a form of denial of service (DoS) attack against a server through a method known as SYN flooding. This type of attack uses the process by which a connection is established between a client and a host, known as a three-way handshake, to cause the host to have excessive client requests, causing the system to freeze or freeze. Such attacks have largely become obsolete, however, through methods such as the use of SYN cookies that circumvent them. These cookies do not pose a security threat or risk to either the host or clients and do not cause connectivity problems.
The way SYN cookies work is based on the basic way many servers and users, or host and client systems, connect to each other. This process is known as a three-way handshake and begins when the client system sends a connection request to the host system. The request is called a sync message or SYN and is received by the host system. This host system then acknowledges that the SYN has been received by sending an acknowledgment message, or SYN-ACK message, to the client.
Once the client system receives this SYN-ACK message, the client sends a final ACK message to the host. When the host system receives this final ACK, it allows the client to log into the system and can then receive additional SYN requests from other clients. Most host servers have a fairly small queue for SYN requests, usually only eight at a time.
The form of DoS attack known as SYN flooding uses this to overwhelm a host system. This is done by sending a SYN message, which is answered by a SYN-ACK from the host, but the final ACK message is not sent by the client, keeping an open position in the queue. If this is done correctly during a SYN flood attack, the entire queue becomes filled with these unanswered requests and is unable to accept new requests from legitimate clients.
SYN cookies help evade this type of attack by allowing a host to act as if it has a larger queue than it really does. In the event of a SYN flood attack, the host can use SYN cookies to send a SYN-ACK to a client, but delete the SYN entry for that client. This basically allows the host to act as if no SYN was ever received.
However, once this SYN-ACK with SYN cookies is received by the client, the corresponding ACK sent to the host includes the original SYN-ACK data. The host can then use this ACK and the included SYN cookies to reconstruct the original SYN-ACK and the appropriate entry for that original request. Once this is done, the client may be allowed to connect to the host, but the whole process has effectively bypassed the queue which might otherwise be occupied by a SYN flood attack.
Protect your devices with Threat Protection by NordVPN
