Why Packets-Per-Second (PPS) Is an Important Metric Distinct From Bandwidth in DDoS Detection

 When most people talk about Distributed Denial of Service (DDoS) attacks, they immediately imagine massive waves of traffic, overflowing bandwidth pipes, and network links pushed to their limit. And sure, that’s one type of attack. But focusing only on bandwidth (bits per second) tells just one part of the story.

There’s another metric—often overlooked, yet absolutely critical—called packets per second (pps). In many situations, it reveals far more about the health of your network and the severity of a potential DDoS attack than bandwidth ever could.

If you’ve ever wondered why networks collapse even when bandwidth seems “within limits,” or why firewalls, routers, and load balancers sometimes choke under what looks like moderate traffic, the answer almost always lies in packet rate.

In this blog, we’re going deep into why packets-per-second is an important metric that stands apart from bandwidth, how attackers exploit this distinction, what devices fail first in high-pps storms, and why ignoring packet rate is one of the biggest mistakes organisations make in DDoS monitoring.

---

Understanding the Difference Between Bandwidth and Packet Rate

To understand why pps matters so much, it's important to clarify what bandwidth and packet rate actually measure.

Bandwidth (bits per second)

Bandwidth measures the total volume of data flowing into or out of a network. In other words, it’s about how much data—video streams, downloads, web pages, API responses—is moving through the pipe.

Packets per second (pps)

Packets per second measure how many individual packets are being transmitted, regardless of their size. A packet could be tiny (like a few bytes) or large (up to the MTU limit), but each one requires processing by every device along the path.

So while bandwidth is about bulk, pps is about workload.

Now imagine this:

• You could have a flood of very large packets. Bandwidth spikes. Packet rate might not.

• You could have a flood of millions of tiny packets. Bandwidth barely moves. Packet rate skyrockets.

Guess which scenario breaks most devices faster?

The second one. And that’s where many DDoS attacks hide.

---

Why PPS Can Be More Dangerous Than Bandwidth

Routers, switches, firewalls, load balancers, and even cloud-based network filters have something in common: They process packets one at a time. Every packet must be inspected, routed, checked against rules, and forwarded—or dropped.

This takes CPU, memory, and sometimes flow-table capacity.

When packets arrive faster than the device can process them, you get:

• High CPU usage

• Dropped packets

• Latency

• Device lockups

• Connection resets

• Full service outages

All of this can happen long before bandwidth limits are reached.

So organisations monitoring only bandwidth might look at their dashboard and think everything is fine—meanwhile firewalls are melting down under a massive packet load.

---

Device Limits: Where PPS Attacks Hit Hardest

Different network components fail under different conditions. PPS-focused attacks exploit the processing limitations of these devices.

Let’s break down where the bottlenecks show up.

Firewalls

Firewalls inspect packets deeply, compare them against rules, and manage state tables. They are extremely vulnerable to high pps because every packet requires processing.

High pps attacks often cause:

• CPU overload

• Flow-table exhaustion

• Dropped legitimate connections

• Failure to establish new sessions

Even a firewall with gigabit bandwidth capacity may collapse under just a few million pps.

Routers and Switches

These devices route packets based on IP headers. Their performance depends heavily on:

• Packet lookup speed

• Forwarding table efficiency

• Hardware acceleration chips (if any)

Routers flame out quickly when packets come in faster than hardware CPUs can handle.

Load Balancers

These devices juggle requests across servers. Many modern load balancers are smart—they decrypt SSL traffic, apply rules, and do traffic steering.

Packet floods overwhelm:

• Session creation

• NAT translation

• SSL handshake queues

This can cause the entire load balancing system to collapse even with low bandwidth.

Intrusion Prevention Systems (IPS)

IPS devices inspect packets deeply for signatures, anomalies, and threats. Their throughput is often determined by how many packets they can inspect per second, not how much bandwidth they can pass.

High pps short-circuits them instantly.

Cloud and CDN Layers

Even cloud-based DDoS protection systems have pps thresholds. Many providers advertise bandwidth protection in the terabit range, but the fine print often includes pps limits.

Attackers know this. And they use high-rate packet bursts to exploit those boundaries.

---

Why PPS Attacks Are So Effective in DDoS Campaigns

While volumetric attacks are flashy, high-pps attacks are surgical, stealthy, and extremely effective. Here’s why.

1. Tiny packets are cheaper to generate

An attacker can generate enormous packet volume with minimal cost. Even low-power IoT devices can pump out huge numbers of 60–80 byte packets.

2. They bypass bandwidth-based defenses

Some DDoS protections trigger only when bandwidth spikes. A packet-rate attack slips through these systems completely unnoticed until devices start failing.

3. They target stateful devices first

Stateful devices—those that track connection information—are among the most fragile under packet floods. This includes:

• Firewalls

• NAT gateways

• VPN concentrators

• Stateful inspection routers

They fill up flow tables and freeze, knocking out legitimate users instantly.

4. They’re used in multi-vector DDoS attacks

Modern attackers rarely use one technique. They blend:

• High pps

• High bps

• Application-layer floods

• TCP handshake abuse

• Bot-driven scraping

• DNS reflection

Monitoring only one metric leaves you exposed.

---

Real-World Examples: How PPS Causes Outages Even When Bandwidth Does Not

Let’s walk through a few simplified real-world-style scenarios illustrating how packet floods cause outages without hitting bandwidth limits.

Scenario 1: A 1 Gbps Firewall Fails Under Low Bandwidth

A firewall supports:

• 1 Gbps throughput

• 400,000 packets per second maximum processing

An attacker sends:

• 100 Mbps traffic

• But at 800,000 packets per second

Bandwidth looks safe. But packet rate is double the firewall’s limit.

The firewall crashes instantly.

Scenario 2: A Router Overwhelmed by Tiny Packet Flood

Packets of 60 bytes each can create high PPS with low total data volume.

An attacker sends:

• 50 Mbps traffic

• At 1.5 million packets per second

Even though the bandwidth is low, the router’s CPU hits 100 percent and stops forwarding traffic.

Scenario 3: Cloud Load Balancer Hit by SYN Packets

A load balancer that handles 2 million new connections per second is strong—but not infinite.

An attacker sends:

• SYN packets only

• No completed handshakes

• 5 million packets per second

The load balancer chokes on session creation attempts long before bandwidth maxes out.

In every case, bandwidth metrics look “normal,” but packet rate tells the real story.

---

Why PPS Monitoring Is Crucial in DDoS Detection

Here’s why organisations must track packet rate alongside bandwidth.

1. PPS exposes early-stage attacks

Attackers often test a target with small bursts of packets to map out capacity. These bursts won’t show up in bandwidth tracking but appear clearly in packet rate graphs.

2. PPS identifies protocol-based attacks

Attacks like:

• SYN floods

• ACK floods

• ICMP floods

• DNS query floods

• NTP/SSDP amplified packets

These are all packet-rate assaults, not bandwidth-heavy.

3. PPS reveals stealth attacks

Low-bps but high-pps attacks are quiet, cheap, and common. They’re designed to slip past defenses that only monitor bandwidth usage.

4. PPS correlates with CPU and flow table stress

If devices are maxing out on:

• CPU

• Memory

• Queue sizes

• Flow table entries

PPS is usually the root cause.

5. PPS is essential for capacity planning

If you know your router can handle 3 million packets per second, you can design protection accordingly. Without PPS insights, your architecture planning is blind.

---

What a Healthy PPS Baseline Looks Like

To detect anomalies, you must know what normal looks like.

A baseline typically includes:

• Average pps during business hours

• Peak pps during promotions or special events

• Low pps during night hours

• Typical packet size distribution

• PPS to key services (web, DNS, APIs)

Without a baseline, every spike looks suspicious.

Once baselines are identified, security systems can flag deviations instantly.

For example:

• A surge from 100,000 pps to 500,000 pps

• Abrupt spikes in SYN packets without matching ACKs

• Packet floods targeting a single port

These are strong indicators of an attack underway.

---

Monitoring Tools That Track PPS Effectively

While most monitoring tools report bandwidth, not all track packet rate. The ones that matter include:

• Network traffic analyzers

• Hardware router statistics

• Firewall analytics dashboards

• Cloud monitoring tools

• Intrusion detection systems

• DDoS scrubbing centers

• SIEM platforms with traffic ingestion

PPS monitoring should ideally be real-time, not batch-based, because packet floods can overwhelm devices within seconds.

---

How Attackers Use Small Packets to Evade Filters

Packet-rate DDoS attacks often use tiny packets for a specific reason: small packets require more work per bit of bandwidth consumed.

Here’s why small packets increase load:

• More headers relative to payload

• More interrupts to handle

• More CPU required per packet

• More overhead in processing queues

• More strain on network buffers

A 20 Gbps attack made of 1500-byte packets is heavy but manageable for many systems.

A 20 Gbps attack made of 64-byte packets is often catastrophic.

The packet rate may be 20 times higher, and the device simply cannot keep up.

---

How to Protect Against High-PPS Attacks

Now that we understand the risk, how do you defend against it?

1. Use stateless upstream filtering where possible

Stateful devices die first. Offload filtering to stateless routers or cloud scrubbing centers.

2. Implement rate limiting and connection limiting

Limit new connections or packet types from suspicious sources.

3. Leverage CDN edge networks

CDNs can absorb packet floods before they reach the origin.

4. Increase hardware capacity

Modern routers have ASICs that handle tens of millions of packets per second.

5. Deploy behavioral monitoring

Use systems that learn normal traffic patterns and detect deviations early.

6. Build layered DDoS protection

Combine:

• Network-layer filtering

• Application-layer protection

• Cloud scrubbing

• Real-time alerting

• Automated mitigation

7. Test using controlled simulations

Simulate high-pps attacks to identify bottlenecks before attackers do.

---

Final Thoughts

Packets-per-second is one of the most critical metrics in DDoS detection—and one of the most misunderstood. While bandwidth tells you how much data is flowing through your network, packet rate tells you how much stress your devices are under.

Attackers know that hardware devices have hard limits on how many packets they can process, regardless of bandwidth capacity. That’s why modern DDoS campaigns frequently use high-pps attacks to overwhelm routers, firewalls, load balancers, IPS systems, and even cloud-based defenses.

When an organisation monitors only bandwidth, it risks missing the earliest and most damaging signs of an attack. But when packet rate is tracked alongside other metrics—bandwidth, connections, resource usage, and behavior patterns—the organisation gains a full, accurate picture of its traffic health.

In short:

• Bandwidth is the weight.

• Packets per second is the workload.

• Most networks fail because of workload, not weight.

Understanding this difference—and monitoring both metrics with equal attention—is essential for staying ahead of modern DDoS threats.