Test through simulations
It’s a good practice to test your assumptions about how your services will respond to an attack by conducting periodic simulations. During testing, validate that your services or applications continue to function as expected and there’s no disruption to the user experience. Identify gaps from both a technology and process standpoint and incorporate them in the DDoS response strategy. We recommend that you perform such tests in staging environments or during non-peak hours to minimize the impact to the production environment.
We have partnered with BreakingPoint Cloud, a self-service traffic generator, to build an interface where Azure customers can generate traffic against DDoS Protection-enabled public endpoints for simulations. You can use the simulation to:
- Validate how Azure DDoS Protection helps protect your Azure resources from DDoS attacks.
- Optimize your incident response process while under DDoS attack.
- Document DDoS compliance.
- Train your network security teams.
Note
BreakingPoint Cloud is only available for the Public cloud.
Prerequisites
- Before you can complete the steps in this tutorial, you must first create a Azure DDoS Standard protection plan with protected public IP addresses.
- You must first create an account with BreakingPoint Cloud.
Configure a DDoS test attack
Enter or select the following values, then select Start test:
Setting Value Target IP address Enter one of your public IP address you want to test. Port Number Enter 443. DDoS Profile Possible values include DNS Flood,NTPv2 Flood,SSDP Flood,TCP SYN Flood,UDP 64B Flood,UDP 128B Flood,UDP 256B Flood,UDP 512B Flood,UDP 1024B Flood,UDP 1514B Flood,UDP Fragmentation,UDP Memcached.Test Size Possible values include 100K pps, 50 Mbps and 4 source IPs,200K pps, 100 Mbps and 8 source IPs,400K pps, 200Mbps and 16 source IPs,800K pps, 400 Mbps and 32 source IPs.Test Duration Possible values include 10 Minutes,15 Minutes,20 Minutes,25 Minutes,30 Minutes.
It should now appear like this:

Monitor and validate
- Log in to https://portal.azure.com and go to your subscription.
- Select the Public IP address you tested the attack on.
- Under Monitoring, select Metrics.
- For Metric, select Under DDoS attack or not.
Once the resource is under attack, you should see that the value changes from 0 to 1, like the following picture:

BreakingPoint Cloud API Script
This API script can be used to automate DDoS testing by running once or using cron to schedule regular tests. This is useful to validate that your logging is configured properly and that detection and response procedures are effective. The scripts require a Linux OS (tested with Ubuntu 18.04 LTS) and Python 3. Install prerequisites and API client using the included script or by using the documentation on the BreakingPoint Cloud website.
Next steps
- Learn how to view and configure DDoS protection telemetry.
- Learn how to view and configure DDoS diagnostic logging.
- Learn how to engage DDoS rapid response.