A Direct-to-Origin (D2O) attack is the technique that weaponizes origin IP exposure. Once the origin's true address is known, the attacker aims the flood straight at it — the CDN, WAF, or scrubbing layer never sees a packet, so its mitigation is simply not in the path. The vectors themselves are ordinary: UDP and ICMP floods at the network layer, HTTP floods and slow-rate connections at L7. What defines D2O is the path, not the payload; the same traffic that dies at the edge succeeds when it skips it.
Why it matters in DDoS testing
"The edge held" is meaningless if the origin can be reached around it. A serious test runs the D2O path deliberately, not just the through-edge path, and proves the direct hit is refused at the network layer — before an HTTP handler ever runs. That means confirming ingress allowlists that pin the origin to the CDN's published IP ranges, an origin-side firewall, and the cloud provider's own DDoS gate (AWS, Azure, GCP) actually drop unsolicited traffic. A test measures whether the origin rejects the flood, not merely whether the edge controls fired.
The two-path model — through-edge versus direct-to-origin — is worked through in Cloudflare DDoS testing, and the reconnaissance behind it in how attackers bypass CDN DDoS protection.