Specifically, a SYN attack, or SYN flood attack, is a well-known TCP/IP attack in which a malicious attacker targets a vulnerable device and effectively denies it from establishing new TCP connections.

The SYN attack is characterized by the following pattern:

Using a spoofed IP address, an attacker sends multiple SYN packets to a listening TCP port on the target machine (the victim). For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address. The TCP connection is called a half-open connection at this point since the initiating side did not yet send back an acknowledgment (termed the third ACK).

Because the target machine does not receive a response from the attacking machine, it attempts to resend the SYN-ACK, typically five times, at 3-, 6-, 12-, 24-, and 48-second intervals, before de-allocating the resources, 96 seconds after attempting the last resend. Altogether, the target machine typically allocates resources for over three minutes to respond to a single SYN attack.

When an attacker uses this technique repeatedly, the target machine eventually runs out of memory resources since it holds numerous half-open connections. It is unable to handle any more connections, thereby denying service to legitimate users.

Moreover, flooding the victim with TCP SYN at a high rate can cause the internal queues to fill up, also causing a denial of service.