Rate limiting caps the number of requests a given source (an IP address, session, API key, or token) may make within a time window. It is a primary Layer 7 defensive control, enforced at the CDN edge, the WAF, the API gateway, or in application middleware, and it is the control most often misconfigured relative to real attack conditions.
Why it matters in DDoS testing
Rate limits calibrated against well-formed load-test traffic from a small source set routinely fail to fire against a distributed attack. A DDoS test validates two things: threshold accuracy (the rate at which each limit actually engages versus its configured value) and source-distribution behavior (whether a limit keyed per-IP is defeated by spreading the same aggregate rate across thousands of sources). Distinguishing genuine blocking from a rule left in count-only mode is part of the same measurement, because a limit that logs without blocking is operationally absent under attack.
For where rate limiting sits among the controls under test, see The Complete Guide to DDoS Testing.