All DDoS Definitions
DDoS Definition

Direct-to-Origin (D2O) DDoS Attack

A Direct-to-Origin (D2O) attack is the technique that weaponizes origin IP exposure. Once the origin's true address is known, the attacker aims the flood straight at it — the CDN, WAF, or scrubbing layer never sees a packet, so its mitigation is simply not in the path. The vectors themselves are ordinary: UDP and ICMP floods at the network layer, HTTP floods and slow-rate connections at L7. What defines D2O is the path, not the payload; the same traffic that dies at the edge succeeds when it skips it.

Two attack paths from an attacker node: the through-edge path where the CDN, WAF, and scrubbing layer absorb most of the flood, and the direct-to-origin path that arcs around the edge straight to the origin server, where only the origin firewall and IP allowlist stand — the control a DDoS test validates.

Why it matters in DDoS testing

"The edge held" is meaningless if the origin can be reached around it. A serious test runs the D2O path deliberately, not just the through-edge path, and proves the direct hit is refused at the network layer — before an HTTP handler ever runs. That means confirming ingress allowlists that pin the origin to the CDN's published IP ranges, an origin-side firewall, and the cloud provider's own DDoS gate (AWS, Azure, GCP) actually drop unsolicited traffic. A test measures whether the origin rejects the flood, not merely whether the edge controls fired.

The two-path model — through-edge versus direct-to-origin — is worked through in Cloudflare DDoS testing, and the reconnaissance behind it in how attackers bypass CDN DDoS protection.