Network Communication & SYN Attack

How applications talk across a network — from bits on the wire to HTTP requests, and how attackers exploit the TCP handshake.

The OSI Model

The Open Systems Interconnection (OSI) model describes 7 layers of network communication. Each layer adds its own header (encapsulation) when sending, and strips it when receiving. Click any layer to learn more.

Encapsulation — How Data Gets Wrapped

As data moves down the stack, each layer wraps the previous layer's output with its own header. The receiver reverses this, stripping headers as data moves up.

How Applications Communicate

When Application A sends a message to Application B, the data passes through every layer of the network stack. At each layer, a header with addressing and control information is added.

What Gets Added at Each Layer

Layer 7 Application — HTTP Request

GET /hello HTTP/1.1
Host: 192.168.1.20
User-Agent: CS360-Browser/1.0

The application generates the payload — the actual content being communicated.

Layer 4 Transport — TCP Header

Src Port: 49152   Dst Port: 80
Seq#: 1000   Ack#: 1
Flags: [PSH, ACK]   Window: 65535

TCP provides reliable delivery with sequence numbers, flow control, and port-based multiplexing. Ports identify which application on each host.

Layer 3 Network — IP Header

Version: 4 (IPv4)   TTL: 64
Protocol: 6 (TCP)
Src IP: 192.168.1.10
Dst IP: 192.168.1.20

IP addresses identify which host on the network. Routers use the destination IP to forward packets across networks.

Layer 2 Data Link — Ethernet Frame

Dst MAC: AA:BB:CC:DD:EE:02
Src MAC: AA:BB:CC:DD:EE:01
EtherType: 0x0800 (IPv4)
FCS: 0x3A2B... (trailer)

MAC addresses identify which network interface on the local link. They only matter for the current hop — they change at each router.

Key distinction: MAC addresses are for local delivery (Layer 2, changes hop-by-hop), IP addresses are for end-to-end routing (Layer 3, stays the same), and Ports identify applications (Layer 4).

TCP Three-Way Handshake

Before data can flow, TCP requires a three-step connection setup. This establishes sequence numbers and confirms both sides are ready.

SYN Flood Attack

A SYN flood exploits the TCP handshake. The attacker sends a massive number of SYN packets with spoofed source IPs. The server responds with SYN-ACK to each and waits for ACK replies that will never come — filling up its connection queue until legitimate clients are refused.

How It Works

  1. Attacker sends SYN with a forged (spoofed) source IP
  2. Server allocates memory for a half-open connection and sends SYN-ACK to the spoofed IP
  3. The spoofed IP never responds with ACK (it didn't initiate the connection)
  4. Server's backlog queue fills with half-open connections
  5. Legitimate clients' SYN packets are dropped — connection refused

Server Connection Queue

Each slot represents one entry in the server's TCP backlog. Watch what happens during normal operation vs. a SYN flood.

0
Established
0
Half-Open
0
Dropped

Countermeasures

SYN Cookies

Instead of storing state for each SYN, the server encodes the connection info into the initial sequence number of the SYN-ACK. State is only allocated when a valid ACK returns.

Rate Limiting

Firewalls limit the number of SYN packets per second from any single source IP, slowing down the flood.

Increased Backlog

Raising the TCP backlog queue size gives the server more room, buying time but not solving the root problem.

Firewall / IDS

Intrusion detection systems recognize SYN flood patterns and can drop malicious traffic before it reaches the server.