z/OS TCP/IP maximum listen backlog increasing dynamically to 768

Answer

The maximum listen backlog value is initially set on the listen() socket function call issued by an application. The maximum backlog for the application will initially be either set to:
1. The value of SOMAXCONN as coded in the TCP/IP profile dataset. The default is 10.
Or,
2. To the value set by the application on the listen() function call, as long as it is a value lower than SOMAXCONN.

You can display the maximum listen backlog using the NETSTAT ALL command:

EZZ2594I MaximumBacklog: 0000000010

The backlog is a place holder for new inbound connection requests to a server. Connection requests are held in this backlog until the server issues an accept() for the connection. Normally you should see very few or no connections in the backlog for a server if it is running as it should.

The MaximumBacklog value may be increase up to 768. The value is set by TCP/IP SYN-attack logic in the TCP layer on z/OS. If a server is not accepting connections fast enough compared to new connections arriving, the backlog will fill up. There is logic in the TCP layer, which may optionally be used with IDS (Intrusion detection policy), to make sure that a server is not under a SYN-attack. TCP/IP will periodically bump up the backlog value so new non-SYN-attack connections will not be dropped.

Internally, TCP/IP will make certain assumptions if an IDS policy is not in place in determining whether a series of SYNs represent an attack or not.