@blockbot @kirby Like, the TCP handshake:

:mgsgb_1::mycomputer::ddr_r::hal9000: SYN
:mgsgb_2::hal9000::ddr_r::mycomputer: ACK/SYN
:mgsgb_3::mycomputer::ddr_r::hal9000: ACK

After step 3, the connection is established. Sending a SYN flood looks a lot like creating a large number of incoming connections, because it's just repeating step 1 and ignoring the responses in step 2. The from address can be forged, so how do you tell the difference? The syncookie thing is basically embedding some private data in a hash in the TCP sequence number so that the server can skip the connection overhead: when step 3 happens, it validates the hash and then it can assume the connection is really open.

Since actual requests were coming in, it wasn't a syn flood: you can't send the "GET /api/v1/streaming HTTP/1.1\r\n" unless you've finished the handshake.