The problem is that servers generally either have a resource limit on the number of outstanding connections they can have in this handshake pending-completion state, and may refuse to service further connections until these resources are available. This corresponds to the symptoms you have described. Since the overhead with sending a SYN packet is small, even a client on a relatively low-bandwidth link may be able to launch a significantly damaging attack. The problem is further exacerbated by network providers who do not perform source address filtering, allowing the attacker to effectively hide their identities.
Common solutions involve using servers that are resilient to such attacks. Of course, this is often easier said than done, so the preferred method of protection for many sites generally involves deploying a traffic management device that can block such attacks from ever reaching their servers. When deploying such a device, one should evaluate that the device not only blocks these attacks, but does not impose any penalty to the overall user experience.
Dig Deeper on Network Monitoring
Related Q&A from Karl Triebes
Have you done any analysis of the relationship between application errors and network performance and, if so, what are your conclusions? When setting... Continue Reading
What effects will IPv6 have on managing network applications? Continue Reading
Can you recommend good network analysis and diagnostic tools that diagnose at the application layer?
To diagnose the application layer, network application expert Karl Triebes recommends these network analysis and diagnostic tools. Continue Reading