An SSL flood, also called a TLS handshake flood, is a Layer 7 attack vector, one of the classes a thorough DDoS test is built to exercise. The attacker opens many TLS connections and forces the server through the full handshake, where the asymmetric key operation is far costlier for the server than for the client. By abandoning each session after the handshake and opening another, the attacker exhausts CPU on cryptographic work at very low bandwidth, so the link looks idle while the server stalls.
Why it matters in DDoS testing
SSL floods sit below the bandwidth thresholds most volumetric defenses watch, so they slip past bits-per-second alarms and surface as rising handshake latency and CPU saturation. Testing measures the handshake rate at which the TLS terminator (origin, load balancer, or CDN edge) degrades, and whether session resumption and offload hold. Characterizing that knee point is the work of DDoS resilience testing.