After this lesson, you will be able to: Explain how SYN floods exhaust the connection table, how SYN cookies defend, the categories of DDoS (volumetric, protocol, application-layer including Slowloris), amplification attacks, and modern defenses; demonstrate a SYN flood in a lab.
Denial of service is about exhausting a resource. This lesson covers SYN floods and the half-open state, SYN cookies, the broad DDoS categories, Slowloris (low-bandwidth application-layer attacks), amplification attacks, defenses including Cloudflare and anycast, and an hping3 SYN-flood lab.
Recall the TCP handshake. In a SYN flood, the attacker sends many SYN packets with spoofed source IPs. The server replies SYN-ACK to each and allocates state in its connection table, waiting for the ACK that never arrives. These half-open connections pile up until the table is full and the server can accept no new connections, including legitimate ones. The resource being exhausted is the connection table, not bandwidth.
SYN cookies let the server avoid storing state for half-open connections. Instead of saving connection state on SYN, the server encodes the necessary state into the sequence number it sends in the SYN-ACK (a cryptographic function of the connection details). If a real ACK comes back, the server reconstructs the state from the acknowledged number. No table entry is held for connections that never complete, so the flood cannot exhaust it.
Volumetric attacks (ICMP flood, UDP flood) try to saturate bandwidth. Protocol attacks (SYN flood, Ping of Death) exhaust connection-level resources. Application-layer attacks (HTTP flood, Slowloris) exhaust the application with seemingly valid requests. Slowloris is striking: it sends partial HTTP headers very slowly, holding many connections open without ever finishing a request, exhausting the server's connection pool on tiny bandwidth. DDoS does not require a huge pipe; it requires exhausting the right resource.
Amplification attacks abuse servers that send a large response to a small spoofed request: DNS and NTP amplification let an attacker spoof the victim's IP, send tiny queries to open resolvers, and have huge replies flood the victim. Defenses: SYN cookies for SYN floods, rate limiting, and large-scale providers like Cloudflare that absorb volumetric attacks across a distributed anycast network (the same IP advertised from many locations so attack traffic is spread and filtered near its source). Hiding your origin IP behind such a network is essential.
Isolated network, your own target container.
1. On an isolated network, run a target container with a listening service.
2. From Kali, watch the target's connection table fill: on the target, run watch -n1 'netstat -ant | grep SYN_RECV | wc -l'.
3. From Kali, launch a SYN flood at the target: hping3 -S -p 80 --flood <target_ip>.
4. Observe SYN_RECV entries climbing and legitimate connections failing.
5. Enable SYN cookies on the target (sysctl -w net.ipv4.tcp_syncookies=1) and repeat; observe the target staying responsive.
Pick one.
Believing DDoS always means huge bandwidth (Slowloris proves otherwise). Leaving SYN cookies off on internet-facing servers. Running open DNS/NTP resolvers that become amplifiers for others. Exposing the origin IP so attackers bypass your DDoS provider. Treating rate limiting alone as DDoS protection for volumetric floods (you need upstream absorption). Testing floods against anything but your own isolated lab.
Sign in and purchase access to unlock this lesson.