SYN cookies are a kernel-level defense against SYN floods. Instead of allocating connection state in the SYN backlog when a SYN arrives, the server encodes the connection parameters into the initial sequence number of its SYN-ACK reply. It reconstructs the state only if a valid ACK comes back, so an unanswered SYN costs no memory at all.
Why it matters in DDoS testing
SYN cookies are the control that turns a SYN flood from an outage into a non-event, which is exactly why a DDoS test verifies they are actually enabled and effective under load. The relevant kernel parameters are net.ipv4.tcp_syncookies, tcp_max_syn_backlog, and somaxconn. They have a small trade-off (TCP options in the SYN are not preserved) but should be on for any public-facing server. A frequent finding is that a kernel or OS upgrade silently reset the default, so the protection a stack believes it has is gone.
The mechanics of SYN floods and other L4 attacks are covered in Understanding DDoS Attack Vectors.