A challenge-response mechanism is a Layer 7 defensive control, one of the protections a thorough DDoS test is built to exercise. When a request looks suspicious, the edge interposes a test the client must pass before traffic reaches the origin: a JavaScript computation, a managed CAPTCHA, or a proof-of-work puzzle. Automated clients that cannot execute the challenge are filtered, while real browsers solve it transparently or with one interaction.
Why it matters in DDoS testing
Challenge-response shifts cost back onto the attacker, but it has sharp edges. A test measures whether headless or scripted clients clear the challenge anyway, the latency and conversion penalty the challenge imposes on legitimate users, and whether the trigger threshold fires early enough to matter during a fast L7 flood. A challenge that only engages after the origin is already saturated provides little protection.
For the application-layer attacks this control targets, see understanding DDoS attack vectors.