A HTTP flood is a Layer 7 (application) attack vector, one of the attack classes a thorough DDoS test is built to exercise. Instead of saturating bandwidth, it sends a high volume of well-formed GET or POST requests that look legitimate, forcing the server to spend CPU, database queries, and worker threads on each one. Because every request completes a valid TCP and TLS handshake, the traffic passes naive volumetric filters and exhausts the application tier rather than the pipe.
Why it matters in DDoS testing
HTTP floods target the most expensive requests: search endpoints, login, cart, and anything that hits a backend database. A test characterizes the request rate at which the application tier degrades, whether rate limiting and bot management distinguish the flood from a traffic spike, and how the autoscaler responds before cost or capacity caps out. The detection surface here is request semantics, not packet volume, which is why L7 vectors are tested separately from the network layer in application-layer DDoS testing.