A SYN flood is a Layer 4 (transport) attack vector, one of the attack classes a thorough DDoS test is built to exercise. It abuses the TCP three-way handshake: the attacker sends a stream of SYN packets but never completes the handshake with the final ACK. Each half-open connection occupies a slot in the kernel's SYN backlog; once that backlog fills, the server refuses new legitimate connections.
Why it matters in DDoS testing
A SYN flood tests kernel-level resilience rather than raw bandwidth. The structural defense is SYN cookies (net.ipv4.tcp_syncookies), which encode connection state into the sequence number instead of allocating backlog state, dropping the cost of an unanswered SYN to zero. A DDoS test characterizes the knee point: the SYN rate at which the accept queue saturates and handshakes begin to fail, and whether SYN cookies plus backlog tuning (tcp_max_syn_backlog, somaxconn) actually hold under it. A configuration that looks correct can still regress after a kernel or OS upgrade resets a default.
The mechanics of L4 attacks are covered in Understanding DDoS Attack Vectors.