Denial of Service (or DoS for short) is a common attack in the cyber security. It forces the server resources, like CPU, memory, bandwidth and disk space to run out and unable to serve any authorized requests. There are many techniques to perform DoS attack and among them is TCP flooding. To know how TCP flooding works, a basic understanding of what TCP/IP protocol is and how it helps both client and server establish the connection is necessary.


TCP/IP protocol, in short, is the basic communication language and standard that devices connecting to the Internet can use for exchanging information. To instantiate the communication between two devices, or in this case, between the server and client, this protocol uses a method called three-way handshake of which operation can be described in three main steps:

  • Step 1: To request a connection from the server, the client sends it a packet called SYN (synchronization).

  • Step 2: Upon receiving the SYN request successfully, the server delivers the client an ACK/SYN packet to notify it has accepted the connection. Then, it prepares the necessary resources like memory buffer (cache) to receive and transmit data and, additionally, records other information such as client’s IP address and port.

  • Step 3: The client receives the ACK/SYN reply from the server and sends back to it the ACK (acknowledge) packet to establish connection.

3 way handshake


TCP flooding attack takes advantage of the second step in the three-way handshake. By principle, when sending the SYN/ACK packet to notify the client, if the server does not receive any response back, it still allocates a socket buffer for the connection and keeps resending the packet until it gets the answer from the client.

So the key point in this attack technique is to make the client not reply to the server. In order to do this, the hacker fakes the source IP address in the SYN request sent from the client, causing the server to transmit the SYN/ACK packet to an IP address that has no accountability and no obligation to reply by the ACK packet. Then, the hacker delivers to the server a lot of SYN requests but never replies to any of its responses. This, as a consequence, forces the server to allocate many socket buffers while re-sending the SYN/ACK packet many times, which causes it to become quickly overloaded. The system, eventually, crashes and the attack is successful.

Original author: Doan Thien Phuc

Bùi Quang Điền