A normal TCP handshake. With a SYN flood, the second message (SYN-ACK) goes to an error ip address. While the server is waiting for the ACK message (which never comes), the reserved resources will remain in use.
A SYN (synchronous) flood is a DoS attack. With a SYN flood, a large number of connection requests are done by sending a large number of SYN packets with incorrect source IP addresses to a server. For each request, a server reserves sources (for example, memory or socket). If the server returns a message to indicate that it is ready for the connection, this message will be sent to the wrong IP address. The server will not receive a message again and while the server waits for response, the reserved resources will remain in use. If a large number of these types of applications are sent instantly, this can cause the server to no longer reach "real" requests or even crash the server. Operation
A SYN flood uses the TCP handshake that creates a TCP connection. To build a TCP connection, the client sends a TCP packet to the server with the so-called SYN flag. If the server accepts the connection, a package is returned with both a SYN and ACK flag. If the client then accepts the server, it sends a package with the ACK flag to the server. Because with a SYN flood, the client's address in the SYN message is falsified, the server sends the SYN-ACK message to a non-existent or non-responding "innocent" client. Because no ACK message is returned, the server assumes something went wrong and sends the SYN-ACK message again after a short break. This repeats several times with longer breaks, until the server specifies it. For example, on servers that use Windows NT, this process may take more than three minutes.
wiki
