Se eu estiver lendo o material sysctl / tcp corretamente, ele será disparado quando o número de solicitações de sincronização não ACKED exceder o valor de net.ipv4.tcp_max_syn_backlog. Especificamente:
The tcp_max_syn_backlog variable tells your box how many SYN requests to keep in memory that we have yet to get the third packet in a 3-way handshake from. The tcp_max_syn_backlog variable is overridden by the tcp_syncookies variable, which needs to be turned on for this variable to have any effect. If the server suffers from overloads at peak times, you may want to increase this value a little bit.
A razão que eu acho simples é o texto de tcp_syncookies:
The tcp_syncookies variable is used to send out so called syncookies to hosts when the kernels syn backlog queue for a specific socket is overflowed. This means that if our host is flooded with several SYN packets from different hosts, the syn backlog queue may overflow, and hence this function starts sending out cookies to see if the SYN packets are really legit.
Para mim, isso faz parecer que é tão simples quanto a fila de sincronização com > tcp_max_syn_backlog conexões pendentes.