Block vs count mode is a configuration property of nearly every WAF and rate-limiting rule, and a defensive control a thorough DDoS test is built to verify. In count (or monitor) mode a matched rule only logs the event; in block (or enforce) mode it drops the request. The distinction is invisible in a dashboard that shows matches, because both modes register a match: only block mode actually stops traffic.
Why it matters in DDoS testing
A rule left in count mode is operationally absent under attack, yet it looks active in every metric that counts rule hits. This is one of the most common configuration regressions a test surfaces: rules deployed in monitor mode during tuning and never promoted to enforce. A test distinguishes genuine blocking from logging by measuring whether matched traffic actually reaches the origin, not merely whether the rule recorded a hit.
For testing controls safely without breaking real users, see DDoS testing without disrupting production.