A TCP connection flood is a Layer 4 attack vector, one of the state-exhaustion classes a thorough DDoS test is built to exercise. Unlike a SYN flood, which leaves handshakes half-open, this attack completes the full three-way handshake and opens large numbers of real connections, then holds them idle or trickles minimal data. Each established connection consumes a socket, a slot in the conntrack table, and memory on the server and every stateful device in the path. Once those tables fill, the target cannot accept new legitimate connections even though bandwidth is barely touched.
Why it matters in DDoS testing
Because the connections are fully valid, this vector slips past defenses tuned only for malformed or half-open traffic, and it pressures the connection-tracking limits of firewalls, load balancers, and the origin alike. A test characterizes the concurrent-connection ceiling, how conntrack and accept-queue limits behave at saturation, and whether idle-timeout and per-source connection caps engage in time. That state-bound failure mode is exactly what DDoS resilience testing isolates from bandwidth-bound failure.