Is SYN flooding still a threat?

Question

Well recently I've been reading about different Denial of Service methods. One method that kind of stuck out was SYN flooding. I'm a member of some not-so-nice forums, and someone was selling a python script that would DoS a server using SYN packets with a spoofed IP address.

However, if you sent a SYN packet to a server, with a spoofed IP address, the target server would return the SYN/ACK packet to the host that was spoofed. In which case, wouldn't the spoofed host return an RST packet, thus negating the 75 second long-wait, and ultimately failing in its attempt to DoS the server?

EDIT: And what if I'm not using SYN cookies?

Answer 1

I believe recent OSes will support Syn Cookies which aid in preventing this sort of attack. You can enable it with /proc/sys/net/ipv4/tcp_syncookies in Linux.

Answer 2

thanks to syncookies, the threat of syn flooding is kind of minimal these days. http://en.wikipedia.org/wiki/SYN_cookies

basically when a syn packet is received, the server sends a cookie, and if the guest responds with the proper response, the connection is established.

syn_flooding used to cause issues, because the servers had to keep the connections open, waiting for the rest of the handshake.

Answer 3

In my understanding, the spoofed IP address in that scenario is usually the server under attack... An attacker will use multiple senders sending out the same spoofed IP SYN packets to multiple recipients, all of which will respond to the same IP with SYN/ACK and poof... DDOS.

As to your title, I don't know if it's still a viable attack though.