How can i simulate DDoS Protection

Hi everyone,
I want to simulate ddos attack against my website before that i should open a support ticket and let Cloudflare know this action, everything ok by this far.
But how can i create real ddos test what should i do for this section?

Also how can i understand ddos protection is working, should i set active under attack mode if works by this way I think it’s not looks pretty for users when they enter site and wait for few secs, any advice for me?

What are you trying to accomplish with this test?

Our client wants proof about DDoS protection is working

Is the record :orange: in DNS? If so it is protected by Cloudflare. As to whether or not you have configured a reasonable set of security controls for things like rate limiting :person_shrugging:

Show them the IP resolves to Cloudflare and the Cloudflare header in an HTTP response.

Some part of their mail:
According to Infosec, the WAF rules do not contain protections from bad Ips(i was blocked tor ip adresses but they saying we are not interesting with this anymore), so they have requested to re-check if you have other compensatory controls to protect against DDoS/DoS and OWASP(owasp core ruleset is active for my site also i send pics for proof) attacks.

Also they wanted rate limiting 1500 request per 5 min i set this rule to, i don’t know what excatly they want anymore

I guess if they have a list of IPs they think you should be blocking you can ask them for it (and how they generate it). Other than documenting the major settings in place there really isn’t much one can do.

Generating a DDoS can be something as simple as just spamming empty HTTP requests to simulating traffic in mass scale.

There are legal services that can simulate different attacks for you and then provide a follow-up and other recommendations, if you aren’t sure how to perform an attack yourself, I’d outsource it to a company that is familiar with the task.

Few notes:

  • You need to notify CF of the attack being simulated, check the docs for more information.
  • You most likely need to notify the network owners (datacenter, server owners, etc) of the attack as well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.