TCP ACK flood
High-rate ACK packets force stateful firewalls and load balancers to track sessions that may never have completed a legitimate handshake.
How it works
- ACK packets arrive without matching SYN state on some devices.
- Stateful inspection tables fill with orphan or mismatched entries.
- Can bypass naive SYN-only mitigations while still consuming resources.
Packet flow (illustrative)
Engarde node Target
βACK#1
βACK#2
βACK#3
βACKβ¦
Stateful table entries β
Illustrative flow β not a live capture.
Flag ACK
Engarde metric PPS, state table
Layer L4
What to watch in Engarde
- Firewall session count under ACK-only traffic.
- Asymmetric routing interactions with scrubbing centers.
Running this simulation
Select TCP attack with ACK flag in Engarde DDoS. Compare with SYN flood report on same target/port.
Mitigation perspective
Stateful firewall tuning, ACK storm detection, and hybrid mitigation validation.