Askeal Logo

Network Flood

A network flood overwhelms packet processing capabilities of routers, switches or hosts by saturating network capacity or exhausting connection queues.

What is a network flood?How it typically works?Common techniques & variantsImpactFurther reading

What is a network flood?

Network flood attacks focus on exhausting infrastructure resources such as bandwidth, packet processing capacity, or connection tables. Attackers aim to saturate links or force networking equipment into failure modes, preventing legitimate traffic from traversing the affected paths. Network floods can be launched as simple packet storms or combined with amplification to multiply impact. Unlike application layer attacks they are generally easier to detect by volume anomalies but may require upstream cooperation to fully mitigate.

How it typically works?

  1. Probe and select: attackers identify choke points such as transit links or edge routers.
  2. Traffic generation: bots and amplifiers generate high rates of packets toward target IPs or prefixes.
  3. State exhaustion: connection tracking tables or TCP stacks reach limits, preventing new sessions.
  4. Service degradation: routers drop packets and legitimate users experience severe latency or outage.

Common techniques & variants

  • SYN flood: exploit TCP handshake by sending many connection requests without completing the handshake to exhaust connection tables.
  • ICMP flood: send large numbers of ping or echo requests to consume bandwidth and processing.
  • UDP flood: send many UDP packets to random ports to force target to respond or drop traffic.
  • Connection table exhaustion: focus on stateful devices by creating many half open connections.
  • Fragmentation attack: send malformed or high volume fragmented packets to burden reassembly logic.

Impact

Network floods can cause wide ranging outages and require upstream scrubbing or route based mitigations. For SecOps teams the operational challenge includes fast detection, distinguishing legitimate traffic surges from attacks, and coordinating with ISPs and cloud providers for traffic filtering. Mitigations often include traffic engineering, rate limiting at edges, and dedicated scrubbing services. Because these attacks operate at the network layer they are often combined with other vectors to maximize disruption.

Further reading

  • IETF: RFC on SYN flood and TCP stack guidance. Read more
  • Arbor Networks: Network flood research. Read more
  • Cloudflare: Network level DDoS defenses. Read more
  • CISA: Network attack advisories. Read more

Related topics

DDoS AttackVolumetric AttackBotnet