Conntrack exhaustion is a kernel-level failure mode at the center of stateful-firewall resilience, and one of the resource limits a thorough DDoS test is built to probe. The Linux connection-tracking table (nf_conntrack) holds an entry for every flow a stateful firewall or NAT device follows. A flood of connections, even low-bandwidth ones, fills the table to nf_conntrack_max; once full, the kernel drops new legitimate flows and logs nf_conntrack: table full.
Why it matters in DDoS testing
Conntrack exhaustion is why connection floods and TCP state attacks succeed at modest packet rates: the cost is per-flow table state, not bandwidth. A test characterizes the connection rate at which the table saturates and whether nf_conntrack_max, timeouts, and conntrack offload hold under it. These low-bandwidth, state-targeting techniques are detailed in Understanding DDoS Attack Vectors.