# TCP：端口8080上可能发生SYN泛洪。正在发送Cookie。

- **ID:** `networking/tcp-syn-flood-detected`
- **领域:** networking
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

由于入站SYN数据包速率过高，内核的SYN积压队列已满，触发了SYN Cookie作为防范SYN泛洪攻击的机制。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Linux kernel 5.15 | active | — | — |
| Linux kernel 6.1 | active | — | — |
| Linux kernel 6.6 | active | — | — |

## 解决方案

1. ```
   Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
   ```
2. ```
   Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
   ```

## 无效尝试

- **** — Disabling SYN cookies via sysctl -w net.ipv4.tcp_syncookies=0 removes flood protection, making the system vulnerable to legitimate SYN flood attacks. (90% 失败率)
- **** — Increasing tcp_max_syn_backlog alone without also adjusting tcp_synack_retries may not help because the backlog fills up quickly under sustained attack. (70% 失败率)