SYN-flood is a simple attack method on computers on the Internet. The technique makes the hosting server so busy that it can´t provide service to the legitimate users.

Unfortunately SYN-flood is both difficult to detect and avoid. It is based on the fundamental technique for transfer of data on the internet, the TCP-protocol. The attack exploits the way TCP-connections are established between two computers on the internet.

- When a user connects to a host computer (server) the user´s computer sends a request containing a packet with a setting, a so called SYN-flag.

- The server receives the request and returns a response, the response is called a SYN/ACK packet.

The user´s computer receives the SYN/ACK and sends a packet, a ACK that establishes the connection.

The transaction takes approximately 1 minute and the host computer waits for the ACK to be returned from the users computer. The attacker utilizes this time slot for the attack.

The attacker creates a program that generates a huge number of SYN requests, which makes the server respond with SYN/ACK and then waits without returning the expected ACK-packet which would establish the connection between the server and user. Most servers has a limited number of simultaneous connections so it is rather easy to lock a server using this technique.

The attackers make the request look valid but unreachable by using non-existing IP-addresses and this makes the attack difficult to trace. Software for creating such attacks is easily available on the net.