During peak hours, a web server experiences timeouts. The kernel log shows 'possible SYN flooding'. Which kernel parameter should be increased to mitigate this?
Increasing this value allows more half-open connections, reducing SYN flooding issues.
Why this answer
The kernel log message 'possible SYN flooding' indicates that the system's SYN backlog queue is full, causing new connection requests to be dropped. Increasing `net.ipv4.tcp_max_syn_backlog` expands the maximum number of SYN requests that can be queued before the kernel starts dropping them, directly mitigating the issue.
Exam trap
The trap here is confusing the SYN backlog queue (`tcp_max_syn_backlog`) with the completed connection backlog (`somaxconn`), leading candidates to choose `net.core.somaxconn` even though it only affects fully established connections, not the SYN flood protection mechanism.
How to eliminate wrong answers
Option A is wrong because `net.ipv4.tcp_syncookies` enables SYN cookies as a defense against SYN flood attacks, but it does not increase the queue size; it bypasses the backlog entirely, which can degrade performance for legitimate traffic. Option B is wrong because `net.core.somaxconn` limits the maximum number of connections that can be queued for a listening socket after the three-way handshake is complete, not the SYN backlog queue for half-open connections. Option D is wrong because `net.core.rmem_default` sets the default receive socket buffer size for data transfer, which has no effect on the SYN backlog or connection establishment.