Normally SYN flood attack will be using spoofed source ip addresses. Attacker simply send thousands of SYN packets to the target server using spoofed or non-existent source ip addresses and will not respond to the SYN/ACK packets coming from the target(server/SRX). This causes resource starvation in target server /SRX becuase it has to store the half open connection information.
In case of SYN Cookie, SRX won’t record any state of the connection, in case the SYN is spoofed. Instead, it will send the SYN/ACK back toward the client with syn cookie. If it was spoofed, the client will either drop the SYN or send a reset, but won’t process the packet. If the client (attacker) is real, it will respond with its ACK using the sequence number provided by the server. If the sequence number doesn’t match what is expected, then the SRX will not process the connection.
Essentially, this ensures that the client is real and not spoofed (assuming that the attacker isn’t in the same path) so that a host can’t do a massive spoofed SYN flood, and at the same time we can validate that the client is real.
After the client has completed the three-way handshake, then the SRX will open the connection to the destination server.
Reference: https://www.oreilly.com/library/view/juniper-srx-series/9781449339029/ch11.html Section: SYN flood/spoofing attacks