A DDoS test is a procedure, not an event.
The traffic generator is the least interesting part of it. Anyone can point a load tool at a hostname and watch a graph move. What separates a test that produces a number you can act on from one that produces noise is the order of operations: what you establish before you generate a packet, and what you record while you do.
This is the runbook. Not what DDoS testing is, or how to keep it safe, or how to judge a vendor's methodology (each of those is its own topic and linked below), but the ordered sequence a team actually executes, start to finish: scope, authorize, baseline, escalate, measure, report.
The steps are not interchangeable, and the order is the point. Each one is a gate that makes the next one either safe or meaningful. Skip the baseline and your under-attack numbers have nothing to compare against. Escalate before you scope and there is no ceiling on how far it goes. Measure without deciding in advance what to record and you are left with the one useless deliverable: "the site stayed up."
At a glance: the six steps and why each has to come where it does
| Step | What you do | Why it has to come here |
|---|---|---|
| 1. Scope | Name the targets, vectors, rate ceiling, test windows, and abort criteria | Bounds every later step; without it, escalation has no ceiling and measurement has no target |
| 2. Authorize | Get written sign-off from the asset owner and clear the platform's simulated-DDoS gate | A test without it is indistinguishable from a real incident, technically and legally |
| 3. Baseline | Measure normal load, latency, error rate, and cost with no synthetic traffic running | The reference frame: an under-attack number is unreadable without the before |
| 4. Escalate | Raise intensity and realism in instrumented steps, one variable at a time | Finds the operating point on the way up, under observation, instead of arriving past it |
| 5. Measure | Record per-control outcomes and goodput, not just up-or-down availability | The finding is which control engaged, when, at what threshold, and what a real user saw |
| 6. Report and re-test | Write the characterization plus a reproducible harness and re-test triggers | A result you cannot run again is an anecdote, not a measurement |
Read that table top to bottom and the dependency chain is visible. Scope sets the ceiling that escalation climbs toward. The baseline sets the zero that measurement reads against. Authorization is the gate that lets any of it happen at all. Move a step and you break the one after it.
Step 1: Scope, the document that bounds everything
Scope is not paperwork you do to satisfy a process. It is the artifact that makes every later decision automatic instead of improvised at 2am with traffic climbing.
A usable scope names, concretely:
- The targets. Exact hostnames, IP ranges, load balancer names, and DNS zones in play, and, just as important, what is explicitly out of scope.
- The vectors and the ceiling. Which attack classes you will exercise (L3/L4 volumetric, L7 request floods, application-logic abuse) and the maximum rate for each, enforced at the generator.
- The windows. When the test runs, aligned to change-control, with the stakeholders who need to be awake and watching named in advance.
- The abort criteria. The specific, pre-agreed conditions that stop the test immediately, and the kill switch that drops all synthetic traffic to zero within seconds.
The reason scope comes first is mechanical, not procedural. Step 4 escalates traffic upward; the only thing that keeps that escalation from becoming the outage it is meant to prevent is a ceiling and an abort line agreed while everyone is calm. You cannot write those under pressure. The full discipline of keeping a test inside its blast radius without disrupting production is worth reading on its own; here it is enough to say that the scope is the boundary, and the boundary has to exist before the traffic does.
Scope also decides what "done" means
A test with no stated objective runs until someone gets nervous. A scoped test has a question: does the rate-limit rule engage before the origin saturates? Does the origin stay unreachable when the edge is bypassed? Does goodput hold at the expected peak plus a realistic surge?
Write the questions down. They become the measurement plan in step 5 and the pass/observe conditions in the report. A test that cannot state what it was trying to learn cannot claim to have learned it.
Step 2: Authorize, two gates and neither is optional
Authorization is a hard prerequisite, and on most infrastructure it is two separate gates, not one.
The asset owner's authorization
Someone owns the systems under test, legally and operationally. Written authorization from that owner is mandatory, always, with no exception for internal tests against your own company's systems. "Internal" is not the same as "authorized." The sign-off names who approved it, what they approved, and the window it covers.
The platform's authorization gate
If the target runs on a cloud platform, the platform has its own rules, and they are usually stricter for simulated DDoS than for ordinary penetration testing. High-volume simulated attacks commonly require advance approval or an approved testing partner once traffic crosses defined thresholds, because the platform's own detection cannot tell your authorized test from a genuine attack, and unannounced volume can trigger automated mitigation or account-level action against you.
Thresholds and processes change, so the durable instruction is procedural: before the test, read the platform's current simulated-DDoS policy, confirm whether your planned volume sits inside the no-approval envelope, and secure any required authorization in writing. This platform gate sits on top of the owner's authorization, never instead of it. Skipping it is the fastest way to turn a resilience exercise into an incident with your own provider.
The reason authorization is step 2 and not step 5 should be obvious, but it is worth stating: the entire test is defined by the difference between authorized attack-shaped traffic and a crime. That difference is the paperwork.
Step 3: Baseline, measure normal before you perturb it
This is the step teams skip most often, and skipping it quietly ruins everything measured afterward.
A baseline is a recording of the system at rest: request rate, p50 and p99 latency, error rate, saturation of the stateful chokepoints (connection tables, accept queues, worker pools), and, where it applies, the cost meter. You capture it with no synthetic traffic running, over long enough to see the normal daily shape rather than one quiet minute.
The baseline is the reference frame. Without it, every number step 5 produces is uninterpretable. "512 errors a minute at peak load" is not a finding. It is a number with no meaning until you know whether the resting rate was five or five hundred. Was the p99 latency you recorded under attack a degradation, or is that just what this service does on a Tuesday? Only the baseline can answer, and you cannot capture a baseline after the fact.
There is a second reason it comes before escalation and not alongside it. The baseline is also your instrumentation check. If a dashboard is not moving during the resting recording, it is broken, and you want to discover that now, while nothing is on fire, rather than in the middle of the test when a flat line is ambiguous between "nothing is happening" and "the collector fell over."
Step 4: Escalate, graduated and one variable at a time
Now, and only now, you generate traffic. Two disciplines govern this step, and both exist to keep the result attributable.
Build up to it, do not start there
You do not open at peak. You climb in instrumented steps, from a low-rate pass that confirms the path and the abort switch, upward through your expected peak, toward the ceiling scope set. The point of climbing is to find the knee, the level where a control saturates and real traffic starts failing, on the way up and under observation, rather than by arriving past it with no idea which increment crossed the line.
The safe execution of that ramp (the hard cap at the generator, the graduated staircase, the kill switch) is a discipline in its own right. What matters for the procedure is the ordering: the ramp only makes sense because scope gave it a ceiling and the baseline gave it a floor to measure against.
Change one variable at a time
If you raise the rate and switch vectors and add a second attack class all in the same step, and goodput falls, you have learned that something broke, but not what. Attribution requires isolation. Hold everything constant except the one dimension you are escalating, whether that is request rate, source count, or request cost.
The one deliberate exception is combined load, and it is a test in its own right. Controls are validated in isolation but deployed in composition, so a stack can pass every vector alone and fail them together at a fraction of each standalone ceiling. That is the subject of simultaneous multi-vector testing, and when you run it you do so on purpose, as a named step, after you have characterized the vectors individually, not by accident because you escalated three things at once.
Step 5: Measure, per-control outcomes and not "did it stay up"
The measurement plan was written back in step 1. Here you execute it. The failure mode of this step is settling for a single bit of information, up or down, when the whole value of the test is in the resolution below that bit.
"The site stayed up" tells you nothing you can improve. The findings that matter are per control and per layer:
- Which control engaged, and in what mode. A rule that logs an attack and a rule that blocks it look identical on an availability graph and are opposite in a real incident. Confirm enforcement, not just detection: the difference between block mode and count mode is the difference between a defense and a diary.
- When it engaged. The interval from attack onset to effective mitigation, the time to mitigation, measured for the specific vector against the specific resource, not quoted from a datasheet.
- The layer of first failure. A connection-state flood can exhaust a firewall or load balancer table at a traffic rate that looks idle on a bandwidth graph. Which table, queue, or pool saturates first is one of the most valuable outputs a test produces, and no architecture diagram will tell you.
- What a real user experienced. Availability is not the metric; goodput is. Legitimate requests successfully served, throughout, is what the business actually cares about, and it can collapse while a crude up/down check still reports green.
- The false-positive side. The measurement almost nobody plans for. When a control tightens under load, does it also start rejecting real users? A test that measures only the false-positive rate against attack traffic is measuring half the classifier and is blind to the self-inflicted outage where a mitigation tightened mid-incident and dropped the customers.
The curve above is the shape a good measurement step produces: goodput holding, then bending at the operating point, then recovering when the ramp is halted. The numbers are illustrative and the shape is the point. A test that records only the endpoints, up before and up after, would have missed the bend entirely, and the bend is the whole reason you ran the test. This per-control resolution is also what distinguishes DDoS resilience testing from a load test that only measures throughput.
Step 6: Report and re-test, the artifact and not the anecdote
The output of the procedure is not a verdict. It is a characterization and the means to reproduce it.
A report that says "PASS" or assigns a single safety grade has thrown away everything the measurement step worked to capture. What the reader needs is the behavior: which control engaged at which threshold, in what sequence, where the operating point sat, what the false-positive cost was at the mitigating setting, and which layer failed first. That is a map of the deployment under stress, and it is actionable in a way a grade is not.
The second half of the deliverable is the one that makes it a measurement rather than a story: a reproducible harness. If you cannot run the same test again and get the same result, you did not measure the system, you had an experience with it. Reproducibility is what lets you re-score after a fix and see the number move, and it is the property a serious evaluation of any testing methodology insists on before it trusts a single figure the test produced.
Which is why the procedure ends by pointing back at itself. Configuration drifts: a rule slips from block to count during tuning, a new subdomain reopens the origin, a rate threshold outlives the traffic shape it was set for. The report names the triggers that should start the next run, ahead of a launch, after a migration, on a fixed cadence, so the test becomes a repeatable instrument rather than a one-time gate.
FAQ
How do you test DDoS protection without taking down production?
Scope a hard rate ceiling and abort criteria before generating traffic, test a faithful staging mirror first, and where a finding can only be confirmed in production, use a tightly scoped canary with a kill switch. The graduated ramp finds the knee on the way up, under observation, rather than by overshooting it. The containment discipline is covered in depth in running a test without disrupting production.
Do you need authorization to run a DDoS test on your own systems?
Yes. Written authorization from the asset owner is mandatory even for internal tests, and if the systems run on a cloud platform, the platform's own simulated-DDoS policy is a second, separate gate that often requires advance approval above certain volumes. Internal is not the same as authorized.
What is the difference between a DDoS test and a load test?
A load test measures how much legitimate traffic a system serves before it degrades. A DDoS test measures how a system behaves against adversarial, attack-shaped traffic engineered to find the weakest control, and it records per-control outcomes rather than a throughput ceiling. The distinction is detailed here.
What should a DDoS test actually measure?
Per-control outcomes, not a single up-or-down bit: which control engaged and in which mode, the time from onset to mitigation, the layer of first failure, goodput throughout, and the false-positive cost at the mitigating threshold. "The site stayed up" is not a result you can act on.
How often should you re-test?
On the triggers that change the configuration a test validated: before a launch or major event, after a WAF or edge migration, after an autoscaler or capacity change, and on a fixed cadence otherwise. A test characterizes the deployment as it was on the day it ran, and the deployment does not hold still.
The order is the method
It is tempting to think of the traffic generator as the test and the rest as overhead. It is the reverse. The generator is a commodity; the value is in the five steps that surround it and the sequence they run in.
Notice what each step actually hands the next. Scope hands escalation a ceiling. Authorization hands the whole exercise the right to exist. The baseline hands measurement a zero to read against. Escalation hands measurement a controlled variable so the result is attributable. Measurement hands the report a set of facts instead of an impression. Pull any one out and the step after it produces a number that looks like a measurement and is not one.
That is the difference between a test and a stunt. A stunt points traffic at a target and reports whether it fell over. A test is a chain of preconditions engineered so that when the traffic finally flows, every number it produces means exactly one thing. The skill was never in generating the load. It was in building the frame that makes the load legible.
