BestHub
Sign in
Fundamentals 4 min read

Understanding Linux TCP SYN and Accept Queues in the Three‑Way Handshake

This article explains how the Linux kernel maintains the SYN (half‑connection) and Accept (full‑connection) queues during the TCP three‑way handshake, describes their size limits, overflow handling, and common defenses against SYN‑flood attacks.

Cognitive Technology Team
Cognitive Technology Team
Cognitive Technology Team
Understanding Linux TCP SYN and Accept Queues in the Three‑Way Handshake

During the TCP three‑way handshake, the Linux kernel maintains two queues: the half‑connection queue (SYN Queue) and the full‑connection queue (Accept Queue).

Normal handshake process:

Client sends a SYN packet to the server and enters the SYN_SENT state.

Server receives the SYN, moves to SYN_RECV , stores the connection in the SYN Queue, and replies with SYN+ACK.

Client receives SYN+ACK, sends ACK, and enters the ESTABLISHED state.

Server receives the ACK, removes the connection from the SYN Queue, adds it to the Accept Queue, and also enters ESTABLISHED .

The server application calls accept() to retrieve the connection from the Accept Queue.

Both queues have configurable length limits; when a limit is exceeded, the kernel either drops the connection or sends a RST packet.

Accept Queue overflow handling:

The kernel parameter /proc/sys/net/ipv4/tcp_abort_on_overflow controls the behavior:

0 – When the Accept Queue is full, the server discards the incoming ACK (default).

1 – When the Accept Queue is full, the server sends a RST packet to the client, aborting the handshake.

Methods to mitigate SYN attacks:

Increase the size of the SYN Queue.

Enable tcp_syncookies support.

Reduce the number of SYN+ACK retransmissions.

References:

https://webhostinggeeks.com/howto/tcp-keepalive-recommended-settings-and-best-practices/

https://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html

https://www.ibm.com/docs/en/db2/9.7?topic=ctkp-configuring-operating-system-tcpip-keepalive-parameters-high-availability-clients

https://veithen.io/2014/01/01/how-tcp-backlog-works-in-linux.html

https://www.man7.org/linux/man-pages/man2/listen.2.html

https://blog.cloudflare.com/syn-packet-handling-in-the-wild/

http://arthurchiao.art/blog/tcp-listen-a-tale-of-two-queues/

https://unix.stackexchange.com/questions/729323/what-type-of-queue-is-tcp-accept-queue-in-linux-fifo-lifo-other

https://developer.aliyun.com/article/804896

https://www.cnblogs.com/xiaolincoding/p/12995358.html

https://man7.org/linux/man-pages/man7/tcp.7.html

https://www.cnblogs.com/alchemystar/p/13175276.html

TCPLinuxnetwork securityhandshakeAccept queueSYN queue
Cognitive Technology Team
Written by

Cognitive Technology Team

Cognitive Technology Team regularly delivers the latest IT news, original content, programming tutorials and experience sharing, with daily perks awaiting you.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment