160 Chapter 10 FirewallsNN47922-5002 Weaknesses in the TCP/IP specification leave it open to SYN Flood andLAND attacks. These attacks are executed during the handshake that initiatesa communication session between two applications.Figure 47 Three-way handshakeUnder normal circumstances, the application that initiates a session sends a SYN(synchronize) packet to the receiving server. The receiver sends back an ACK(acknowledgment) packet and its own SYN, and then the initiator responds withan ACK (acknowledgment). After this handshake, a connection is established.SYN Attack floods a targeted system with a series of SYN packets. Each packetcauses the targeted system to issue a SYN-ACK response. While the targetedsystem waits for the ACK that follows the SYN-ACK, it queues up all outstandingSYN-ACK responses on what is known as a backlog queue. SYN-ACKs aremoved off the queue only when an ACK comes back or when an internal timer(which is set at relatively long intervals) terminates the three-way handshake.Once the queue is full, the system ignores all incoming SYN requests, making thesystem unavailable for legitimate users.