Attack surface is a concept, the exposure inventory a thorough DDoS test is built to map before it drives any load. It is the full set of reachable endpoints, public IPs, open ports, protocols, DNS names, API routes, and dependent services that an attacker can address. For DDoS specifically, the attack surface includes every tier that can be saturated or exhausted: the network link, the load balancer, the TLS terminator, expensive application endpoints, and the authoritative DNS that resolves the whole thing.
Why it matters in DDoS testing
You cannot defend, or test, what you have not enumerated. An origin that answers on a raw IP, a forgotten staging host, or an uncached search endpoint each widen the surface in ways a defender often does not see until it is flooded. A test begins by mapping this surface, then scopes the exercise to the targets that matter so coverage is deliberate rather than accidental.
How to scope that surface safely is covered in running a DDoS test without disrupting production.