DDoS (Distributed Denial of Service) testing validates your system’s ability to withstand and recover from volumetric attacks. This guide covers DDoS testing strategies, mitigation validation, and resilience verification. This type of testing is crucial for API security and overall system protection.

Types of DDoS Attacks

ddos_attack_types:
  volumetric:
    - udp_flood
    - icmp_flood
    - dns_amplification
    target: "Network bandwidth"

  protocol:
    - syn_flood
    - ping_of_death
    - smurf_attack
    target: "Server resources"

  application_layer:
    - http_flood
    - slowloris
    - slow_post
    target: "Application resources"

DDoS Testing Approach

1. Rate Limiting Validation

Rate limiting is essential for DDoS protection. For detailed strategies, see API Rate Limiting Testing.

rate_limit_test:
  endpoint: "/api/login"
  request_rate: 1000_requests_per_second
  duration: 60_seconds

  expectations:
    - status_429_returned: true
    - legitimate_users_unaffected: true
    - rate_limit_threshold: "100 req/min per IP"

Test Script:

import requests
import threading

def test_rate_limiting():
    url = "https://api.example.com/login"
    results = {"success": 0, "rate_limited": 0, "errors": 0}

    def make_request():
        try:
            response = requests.post(url, json={"username": "test"})
            if response.status_code == 200:
                results["success"] += 1
            elif response.status_code == 429:
                results["rate_limited"] += 1
        except Exception:
            results["errors"] += 1

    # Send 1000 requests rapidly
    threads = []
    for _ in range(1000):
        t = threading.Thread(target=make_request)
        threads.append(t)
        t.start()

    for t in threads:
        t.join()

    print(f"Success: {results['success']}")
    print(f"Rate Limited: {results['rate_limited']}")
    print(f"Errors: {results['errors']}")

    assert results['rate_limited'] > 900, "Rate limiting not working"

2. WAF Rule Testing

waf_tests:
  sql_injection_block:
    payload: "admin' OR '1'='1"
    expected: "403 Forbidden"

  xss_block:
    payload: "<script>alert('xss')</script>"
    expected: "403 Forbidden"

  malicious_user_agent:
    user_agent: "Nikto/2.1.6"
    expected: "403 Forbidden"

3. CDN Resilience

# Test CDN cache effectiveness
ab -n 10000 -c 100 https://cdn.example.com/static/app.js

# Verify:
# - Requests served from cache
# - Origin server not overwhelmed
# - Response times consistent

DDoS Simulation Tools

1. LOIC (Low Orbit Ion Cannon)

# Educational purposes only - authorized testing
loic_config:
  target: "https://test.example.com"
  method: "HTTP"
  threads: 100
  duration: "60 seconds"

# Note: Use only on systems you own/have permission to test

2. Hping3

# SYN flood simulation
sudo hping3 -S --flood -V -p 80 test.example.com

# HTTP flood
hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood test.example.com

3. Apache Bench (Controlled)

# Application layer stress test
ab -n 100000 -c 1000 https://test.example.com/

# POST requests flood
ab -n 50000 -c 500 -p data.json -T application/json https://test.example.com/api/endpoint

Mitigation Strategies Testing

1. Auto-Scaling Validation

auto_scaling_test:
  baseline: 2_instances
  trigger: "cpu > 70% for 2 minutes"
  scale_up: 10_instances
  scale_down: "after 10 minutes of low load"

  test_steps:
    - Generate load to trigger scaling
    - Verify new instances launched
    - Validate load distribution
    - Test scale-down after attack

2. Geo-Blocking

def test_geo_blocking():
    headers = {"X-Forwarded-For": "1.2.3.4"}  # Known malicious IP range

    response = requests.get(
        "https://api.example.com/",
        headers=headers
    )

    assert response.status_code == 403, "Geo-blocking failed"

3. Connection Limits

# Test max connections
for i in {1..1000}; do
  curl -s https://api.example.com/ &
done

# Verify server doesn't crash and returns appropriate errors

Monitoring During DDoS

monitoring_checklist:
  network:
    - bandwidth_utilization
    - packet_drop_rate
    - connection_states

  application:
    - response_times
    - error_rates
    - active_connections

  infrastructure:
    - cpu_usage
    - memory_usage
    - disk_io
    - load_balancer_health

  security:
    - firewall_rules_hit
    - rate_limit_triggers
    - blocked_ips_count

Recovery Testing

recovery_test:
  1_attack_simulation:
    duration: 300_seconds
    intensity: high

  2_attack_cessation:
    immediate_stop: true

  3_recovery_validation:
    - service_restored: "< 60 seconds"
    - data_integrity: verified
    - performance_normal: true
    - no_persistent_damage: true

Best Practices

legal_requirements:
  - [ ] Written authorization obtained
  - [ ] Test environment isolated
  - [ ] Impact assessment completed
  - [ ] Incident response plan ready
  - [ ] Stakeholders notified

2. Progressive Testing

test_progression:
  phase_1:
    load: "110% normal capacity"
    duration: "5 minutes"

  phase_2:
    load: "200% normal capacity"
    duration: "10 minutes"

  phase_3:
    load: "500% normal capacity"
    duration: "15 minutes"

3. Mitigation Validation

def validate_mitigation():
    # Test rate limiting
    assert test_rate_limiting_active(), "Rate limiting failed"

    # Test WAF rules
    assert test_waf_blocks_attacks(), "WAF not blocking"

    # Test CDN
    assert test_cdn_absorbs_traffic(), "CDN not effective"

    # Test auto-scaling
    assert test_auto_scaling_works(), "Auto-scaling failed"

Conclusion

DDoS testing ensures your infrastructure can withstand and recover from attacks. Regular testing, proper mitigation strategies, and continuous monitoring protect against service disruptions. Combine this with API security testing and rate limiting strategies for comprehensive protection.

Key Takeaways:

  • Test rate limiting and WAF rules
  • Validate CDN and auto-scaling
  • Simulate realistic attack scenarios
  • Monitor all system layers
  • Always obtain proper authorization
  • Document mitigation effectiveness