A protocol attack is a category of DDoS attack vector, the state-exhaustion class a thorough DDoS test is built to exercise. It sits between volumetric floods and application-layer attacks: instead of saturating bandwidth or abusing application logic, it weaponizes the way network protocols track connection state. SYN floods, ACK and RST floods, fragmentation attacks, and connection floods are all protocol attacks. They are measured in packets per second rather than bits per second, and they target the finite state tables in firewalls, load balancers, and the origin kernel.
Why it matters in DDoS testing
Protocol attacks expose a failure mode that bandwidth provisioning alone cannot fix: a device can have ample link capacity and still fall when its conntrack table, accept queue, or SYN backlog fills. A test characterizes the packet-rate ceiling of every stateful device in the path, not just the origin, and confirms that SYN cookies, backlog tuning, and state-table limits hold under sustained pressure. Separating this layer from volumetric and application failure is the structuring principle of DDoS resilience testing.