The net.ipv4.tcp_max_syn_backlog parameter defines the maximum number of queued connection requests that have received an initial SYN packet from the client but haven't yet received the final ACK (three-way handshake incomplete). This buffer helps handle connection bursts during high traffic.
Different recommendations exist because optimal values depend on:
- Server hardware (RAM, CPU cores)
- Expected connection rate
- Network bandwidth
- Kernel version (newer kernels handle backlog differently)
For most modern servers (2023+), consider these guidelines:
# Medium traffic web server (10K-100K connections/minute)
net.ipv4.tcp_max_syn_backlog = 65536
# High traffic server (100K+ connections/minute)
net.ipv4.tcp_max_syn_backlog = 3240000
Use this formula as starting point:
desired_backlog = (max_connections_per_second * average_connection_duration_in_seconds) * safety_factor
Example calculation for a server handling 5,000 connections/sec with 1s average duration:
(5000 * 1) * 2 = 10,000
Check current SYN backlog usage:
netstat -s | grep -i "listen"
Watch for these metrics:
- SYNs to LISTEN sockets dropped
- times the listen queue of a socket overflowed
Each queued SYN request consumes kernel memory. Calculate memory usage:
memory_usage = tcp_max_syn_backlog * sizeof(struct tcp_request_sock)
On 64-bit systems, this is approximately:
3240000 * 256 bytes ≈ 810MB
For a production web server:
# /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 65536
net.core.somaxconn = 65536
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
Apply changes without reboot:
sysctl -p
Consider 3M+ backlog only if:
- You're running a major CDN node
- Handling DDoS mitigation
- Have verified sufficient kernel memory
- Using kernel ≥ 5.4 with improved TCP stack
Avoid these mistakes:
- Setting backlog higher than
somaxconn - Not monitoring SYN drop rates
- Using cookie-less SYN flood protection
- Ignoring kernel OOM killer risks
When configuring sysctl.conf for server optimization, one of the most debated parameters is net.ipv4.tcp_max_syn_backlog. The recommended values vary dramatically:
# Common recommendations found online:
net.ipv4.tcp_max_syn_backlog = 3240000 # Extreme high-end
net.ipv4.tcp_max_syn_backlog = 65536 # Moderate
net.ipv4.tcp_max_syn_backlog = 4096 # ConservativeThis kernel parameter defines the maximum number of remembered connection requests (SYN packets) that have not yet received an acknowledgment from the connecting client. Essentially, it's a queue for half-open connections during the TCP three-way handshake.
Key factors affecting optimal value:
- Available system memory (each entry consumes ~300 bytes)
- Network bandwidth and expected connection rate
- Server role (web server vs database vs API endpoint)
- SYN flood protection mechanisms in place
Instead of blindly following guides, consider this methodology:
# 1. Check current connection attempt rate
sar -n TCP 1 10 | grep -E 'active/s|passive/s'
# 2. Monitor current backlog usage
watch -n 1 'cat /proc/net/stat/syn_recv'
# 3. Calculate based on peak traffic:
# (Max connections per second * average connection duration in seconds) * safety margin
# Example calculation for 10k connections/sec with 2s duration:
(10000 * 2) * 1.2 = 24000For Dedicated Web Servers
# Apache/Nginx with moderate traffic (10-50k RPM)
net.ipv4.tcp_max_syn_backlog = 65536
net.core.somaxconn = 65536
net.ipv4.tcp_syncookies = 1For API Gateways
# High-performance API servers (100k+ RPM)
net.ipv4.tcp_max_syn_backlog = 131072
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_synack_retries = 2For Cloud Microservices
# Containerized environments with burst traffic
net.ipv4.tcp_max_syn_backlog = 32768
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_tw_buckets = 2000000Monitor these metrics to detect misconfiguration:
# SYN cookies being used (indicates backlog overflow)
grep TCP /proc/net/stat/syncookies
# Connection drops due to full queue
netstat -s | grep -i "listenqueue"If you're seeing frequent SYN cookie usage or connection drops, consider increasing the backlog size incrementally while monitoring memory usage.
For ultra-high performance setups:
# Combine with other TCP stack optimizations
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
# Requires proper ulimit adjustments
echo "* soft nofile 1048576" >> /etc/security/limits.conf
echo "* hard nofile 1048576" >> /etc/security/limits.confRemember that any changes should be tested under load conditions that simulate your production environment.