# SYN Flood Attack

Identifying SYN flood attacks is a critical component in protecting network infrastructures from a common and disruptive type of Denial-of-Service (DoS) attack. In a SYN flood attack, an attacker exploits the TCP connection establishment process by rapidly sending SYN (synchronization) packets to a target's network port, but then either not responding to the server's SYN-ACK response or sending the responses very slowly. This can overwhelm the server, leading to resource exhaustion and preventing legitimate users from establishing connections. Given the severity of these attacks, which can incapacitate web servers, mail servers, and other network resources, it's vital to detect them early. Quick identification allows for timely intervention to mitigate the attack and maintain service availability, ensuring network stability and user access.

ElastiFlow provides a collection of anomaly detection jobs designed to identify SYN flood attacks, including various techniques and tools for analyzing network traffic and identifying the hallmarks of such attacks.

## Attributes

| Attribute                       | Information                                                                       |
| ------------------------------- | --------------------------------------------------------------------------------- |
| **Analysis Type**               | population                                                                        |
| **MITRE ATT\&CK Technique**     | [Network Denial of Service (T1498)](https://attack.mitre.org/techniques/T1498)    |
| **MITRE ATT\&CK Sub-Technique** | [Direct Network Flood (T1498.001)](https://attack.mitre.org/techniques/T1498/001) |
| **MITRE ATT\&CK Tactic**        | [Impact (TA0040)](https://attack.mitre.org/tactics/TA0040)                        |

## Downloads

| Schema    | Vector          | Perspective  | Link                                                                                                                                                                                |
| --------- | --------------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CODEX** | **direct**      | **edge**     | [elastiflow\_codex\_netsec\_syn\_flood\_direct\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_direct_edge.json) |
| **CODEX** | **direct**      | **inbound**  | [elastiflow\_codex\_netsec\_syn\_flood\_direct\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_direct_in.json)     |
| **CODEX** | **direct**      | **outbound** | [elastiflow\_codex\_netsec\_syn\_flood\_direct\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_direct_out.json)   |
| **CODEX** | **direct**      | **private**  | [elastiflow\_codex\_netsec\_syn\_flood\_direct\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_direct_priv.json) |
| **CODEX** | **distributed** | **edge**     | [elastiflow\_codex\_netsec\_syn\_flood\_ddos\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_ddos_edge.json)     |
| **CODEX** | **distributed** | **inbound**  | [elastiflow\_codex\_netsec\_syn\_flood\_ddos\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_ddos_in.json)         |
| **CODEX** | **distributed** | **outbound** | [elastiflow\_codex\_netsec\_syn\_flood\_ddos\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_ddos_out.json)       |
| **CODEX** | **distributed** | **private**  | [elastiflow\_codex\_netsec\_syn\_flood\_ddos\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_syn_flood_ddos_priv.json)     |
| **ECS**   | **direct**      | **edge**     | [elastiflow\_ecs\_netsec\_syn\_flood\_direct\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_direct_edge.json)     |
| **ECS**   | **direct**      | **inbound**  | [elastiflow\_ecs\_netsec\_syn\_flood\_direct\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_direct_in.json)         |
| **ECS**   | **direct**      | **outbound** | [elastiflow\_ecs\_netsec\_syn\_flood\_direct\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_direct_out.json)       |
| **ECS**   | **direct**      | **private**  | [elastiflow\_ecs\_netsec\_syn\_flood\_direct\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_direct_priv.json)     |
| **ECS**   | **distributed** | **edge**     | [elastiflow\_ecs\_netsec\_syn\_flood\_ddos\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_ddos_edge.json)         |
| **ECS**   | **distributed** | **inbound**  | [elastiflow\_ecs\_netsec\_syn\_flood\_ddos\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_ddos_in.json)             |
| **ECS**   | **distributed** | **outbound** | [elastiflow\_ecs\_netsec\_syn\_flood\_ddos\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_ddos_out.json)           |
| **ECS**   | **distributed** | **private**  | [elastiflow\_ecs\_netsec\_syn\_flood\_ddos\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_syn_flood_ddos_priv.json)         |

By implementing this suite of anomaly detection jobs, network administrators can rapidly detect and respond to SYN flood attacks. This proactive approach is essential for minimizing the impact of such attacks, ensuring that network services remain available and reliable, and maintaining the overall health of the network infrastructure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/data_platforms/elastic/ml/netsec/netsec_ddos/syn_flood.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.