The TCP accept queue is a kernel-level data structure central to connection-handling resilience, and one of the tuning targets a thorough DDoS test is built to stress. After the three-way handshake completes, the connection moves from the SYN backlog to the accept queue, where it waits for the application to call accept(). The queue is bounded by somaxconn and the listen backlog; once it fills, the kernel drops fully established connections even though the handshake succeeded.
Why it matters in DDoS testing
The accept queue is a distinct failure surface from the SYN backlog: a slow or saturated application can fill it even without a packet flood. A test characterizes the rate at which accept() falls behind incoming connections and whether somaxconn, the listen backlog, and worker concurrency hold under sustained load. This is the queue that turns a connection flood into dropped requests, and validating it is a core part of DDoS resilience testing.