Regarding TCP SYN flood: Why is half-open connections worse than established connections?

Question

THIS IS NOT ASKED FOR HACKING PURPOSES. I am studying computer science and I am just curious.

So.. When the host A sends a TCP SYN to host B, host B allocates space for receiving buffer etc., sends a SYNACK back to host A and host A allocates such space as well, then sends an ACK back to host B. The connection is then established.

But why does a half-open connection (one where the last ACK from A is never sent) tear down host B more than a fully established connection?

Answer 1

A half-open connection does not take more resources than a fully opened connection and a bunch of them do not overwhelm a server more easily, quickly, or surely than fully opened connections.

But you only need to send one packet to a server to make it create a half-open connection, whereas you need to complete a TCP handshake (1 send, 1 receive, another send) to create a fully open connection. So you can create lots of half-open connections from a spoofed IP address or quickly generate millions of them from a DDoS platform. You don't have to be in a position to receive the SYN|ACK replies. You don't even have to care if the server is able to produce those replies fast enough.

This assumes absence of SYN cookies or other defenses against half-open connections.