The most common method involves flooding the victim machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable (Jelena Mirkovic et al. (2005) p38).
The other method is of obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Even though the technical laws of different countries vary, still denial-of-service attacks are considered as a crime in most of the countries. (Pastore & Dulaney (2004) p.33)
The TCP/IP protocols form the basis of today's Internet, but these protocols lack even the basic mechanisms for security, such as validation or encryption. Newer versions of these protocols such as IPV6 do have better security features but currently TCP/IP protocols are the ones most widely used and common protocols and so their lack of built-in security has become increasingly challenging. (Jelena Mirkovic et al. (2005) p.45).
Now in accordance with the question let us look at the working of the protocol to understand the loophole and the problem. In TCP/IP the TCP half uses sequence numbers to keep track of the order or sequence of data packet, (this is to counter high message latency and loss which results in messages usually arriving in non-sequential order). So the basic purpose of allotting sequence numbers is to ensure reaches the user in the correct order, regardless of the order in which the data is actually received (CERT nd.). This allotment takes place during the initial phase of the TCP connection which is called the three-way handshake. The process can be detailed as follows:
1. The originator of the connection initiates the connection by sending a packet having the SYN flag set in the TCP header - the "SYN packet".
2. The receiver or the target responds by sending back to the originator a packet that has the SYN and ACK flags set - "SYN/ACK packet"
3. The originator acknowledges receipt of the 2nd packet by sending to the receiver a third packet with only the ACK flag set (an "ACK packet").
After the completion of this three-step handshaking process the TCP connection is considered "open" and data transfer can take place between the two systems. Herein lies the loophole, after sending the SYN-ACK packet (between steps 2 and 3), the receiving system is required to wait for the ACK packet and keep a record of the incomplete connection in a queue called "listen queue". The listen queue allows successful connections even with high message latency and is necessary. Most hardware's only have a limited amount of space for such incomplete records. If the receiver gets further requests for new connections while too many connections are left in the incomplete state, the receiver will run out of space, and new connection requests can not be handled.
In a SYN flood DOS attack, a malicious host or the attacker sends a large number of SYN packets 'only', while holding out or not replying with the corresponding ACK packet response to the