With SYN flooding, an attacker sends a rapid and continuous succession of TCP packets set with a SYN flag from constantly changing source ports to open ports of the victim. The computer under attack then sets up a TCP connection, returns a packet with set SYN and ACK flags to the attacker, and waits in vain for confirmation of the connection establishment. This results in hundreds of “half-open” TCP connections that consume resources (e.g. memory) on the computer under attack. This can result in the victim no longer being able to accept any further TCP connections, or it may even crash the machine due to a lack of memory.
As a countermeasure, the firewall monitors and limits the number of half-open TCP connections between two computers. Any further TCP connections being established between these computers are blocked by the firewall.
