BGP Flowspec (RFC 8955) is a network-layer defensive control, one of the protections a thorough DDoS test is built to exercise. It distributes granular packet-filter rules across routers using BGP itself, so an operator can push a match-and-action policy (drop, rate-limit, or redirect by source, destination, protocol, port, or packet length) to the whole edge in seconds. It is a finer instrument than RTBH, which null-routes an entire destination IP.
Why it matters in DDoS testing
Flowspec is only useful if rules propagate and take effect fast enough to beat the attack. A test measures propagation time from rule injection to edge enforcement, confirms the match criteria actually catch the attack signature without collateral damage, and checks that upstream providers honor the advertised rules. A correct policy that arrives after the link saturates is a post-mortem, not a defense.
For where edge filtering sits in overall posture, see DDoS resilience testing.