L4 SYN

TCP SYN flood

Large volumes of TCP SYN packets to exhaust connection tables on firewalls, load balancers, and servers before the handshake completes.

How it works

  1. Attacker sends SYN; target allocates state for half-open connections.
  2. Without completing the handshake, connection slots fill up.
  3. Legitimate SYN packets may be dropped when tables are full.

Packet flow (illustrative)

Many SYN packets; incomplete handshakes leave half-open state.

Illustrative flow β€” not a live capture.

Typical pattern High SYN PPS
Engarde metric Packets, conn. count
Layer L4 transport

What to watch in Engarde

  • Concurrent connection count vs. configured limits.
  • SYN cookie or SYN proxy activation on mitigation devices.
  • Recovery time after End test β€” state should drain quickly.

Running this simulation

Engarde TCP simulation targets IP:port with configurable PPS and duration. Observe transport-layer metrics without application payloads.

Mitigation perspective

SYN cookies, connection rate limits, and upstream scrubbing help; validate device policies with L4 simulation in a maintenance window or controlled window.