The TCP SYN backlog is a kernel-level data structure at the center of SYN-flood defense, and one of the tuning targets a thorough DDoS test is built to stress. When a server receives a SYN and replies with a SYN-ACK, the half-open connection waits in the SYN backlog until the client completes the handshake. The queue is bounded (tcp_max_syn_backlog); once full, the kernel drops further SYNs and legitimate clients cannot connect.
Why it matters in DDoS testing
A SYN flood is an attack on this queue, not on bandwidth. A test characterizes the knee point: the SYN rate at which the backlog saturates and handshakes start failing, and whether SYN cookies plus backlog tuning hold under it. Defaults matter here, because a kernel or OS upgrade can silently reset tcp_max_syn_backlog or somaxconn and reopen a gap that was previously closed.
For the attack that targets this structure, see understanding DDoS attack vectors.