# TCP: request_sock_TCP: Possible SYN flooding on port 8080. Sending cookies.

- **ID:** `networking/tcp-syn-flood-detected`
- **Domain:** networking
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

The kernel's SYN backlog queue is full due to a high rate of incoming SYN packets, triggering SYN cookies as a defense mechanism against SYN flood attacks.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Linux kernel 5.15 | active | — | — |
| Linux kernel 6.1 | active | — | — |
| Linux kernel 6.6 | active | — | — |

## Workarounds

1. **Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries** (85% success)
   ```
   Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
   ```
2. **Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT** (80% success)
   ```
   Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
   ```

## Dead Ends

- **** — Disabling SYN cookies via sysctl -w net.ipv4.tcp_syncookies=0 removes flood protection, making the system vulnerable to legitimate SYN flood attacks. (90% fail)
- **** — Increasing tcp_max_syn_backlog alone without also adjusting tcp_synack_retries may not help because the backlog fills up quickly under sustained attack. (70% fail)