A TCP SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Malware/Threat actors

Name	Type	Years	Source
DarkComet	malware	2012	Crypto-DarkComet-Report.pdf
Operation Cleaver	threat actor	2012-2013	Cylance_Operation_Cleaver_Report.pdf stamp.jsp?tp=&arnumber=7460498&tag=1
APT28	threat actor	2008-2016	APT28-Center-of-Storm-2017.pdf CYBERWAR-fd_2_.pdf JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf journey-zebrocy-land threat-group-4127-targets-hillary-clinton-presidential-campaign stamp.jsp?tp=&arnumber=7460498&tag=1

Preventions

• One mitigation is to rate limit the number of unique connections from a source IP address or to a destination port.

Detections

Using the BRO conn.log to look for a large number of connections to a particular host with a conn_state set to S0(Connection attempt seen, no reply.).

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• UDP Flood
• HTTP Flood

References

• Wikipedia - SYN flood
• base/protocols/conn/main.bro
• Defenses Against TCP SYN Flooding Attacks