Menu
This may be a trivial question. This is regarding Syn Cookie. Why only half open connections are only considered as DOS attack. It may be possible that a client completes the handshake (SYN, SYN-ACK, ACK) and never replies after that. That will also take system resources.
So if a client is flooding with (SYN, SYN-ACK, ACK) sequence why that is not considered as DOS attack?
461
asked Dec 07 '25 06:12
A SYN flood attack, which is what are describing, is a specific form of Denial of Service attack. A DOS can take many forms, often unrelated to SYN requests.
The reason that a SYN flood attack is effective is because you can forge the client IP address. This allows a very large number of SYN requests from the same client, but since the SYN-ACK will never be received, there is no way of sending the ACK, and the server is left waiting for the response, hence using available connections on the server. A client sending SYN and ACK will not be using up the available connections. A large number of useless (SYN, SYN-ACK, ACK) would still be a DOS attack, just not such an effective one.
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
