The problem is that servers generally either have a resource limit on the number of outstanding connections they can have in this handshake pending-completion state, and may refuse to service further connections until these resources are available. This corresponds to the symptoms you have described. Since the overhead with sending a SYN packet is small, even a client on a relatively low-bandwidth link may be able to launch a significantly damaging attack. The problem is further exacerbated by network providers who do not perform source address filtering, allowing the attacker to effectively hide their identities.
Common solutions involve using servers that are resilient to such attacks. Of course, this is often easier said than done, so the preferred method of protection for many sites generally involves deploying a traffic management device that can block such attacks from ever reaching their servers. When deploying such a device, one should evaluate that the device not only blocks these attacks, but does not impose any penalty to the overall user experience.
Dig Deeper on Network Monitoring
Related Q&A from Karl Triebes
Karl Triebes shares his thoughts on open source network applications. Continue Reading
Karl discusses the challenges when managing applications across the WAN. Continue Reading
How is application management changing the role of networking pros? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.