Blog DDoS Testing

Are DDoS Simulation Tests Legal?

By Ziv Gadot
January 15, 2024

DDoS simulation tests fall into a different legal category than real DDoS attacks carried out by hackers.

In the United States, for example, the Computer Fraud and Abuse Act considers a DDoS attack to be a cybercrime with serious prison time and fines. However, the law also specifies that the action must be “without authorization or exceeding authorized access” to violate the law.  

In the United Kingdom, as well, the Computer Misuse Act specifically states that illegal DDoS attacks are “unauthorised acts with intent to impair.” Therefore, the UK’s National Cyber Security Centre can officially recommend that web-based businesses test their ability to defend against “both network layer and application layer attacks,” despite the digital trespassing this necessarily entails. 

Similarly, the Israeli National Cyber Directorate (INCD) – a government agency – recommends DDoS penetration testing as part of its cybersecurity guidance. The European Union is even expected to enforce mandatory penetration testing as part of the recently approved Cyber Resilience Act.

In short, since DDoS simulation tests are carried out with the knowledge and approval of the targeted organization, they are considered a legal activity. At Red Button, the first step we take, prior to any testing, is drafting a Letter of Approval, in which you affirm that you control and own the relevant digital environment, and that you agree to the planned DDoS scenarios.

In addition, we take maximum precautions to ensure our DDoS test simulation services are secure, authorized and risk-free.

3rd party notifications/approvals:  We confirm that your ISP, cloud providers, mitigators and data center have all agreed to the DDoS testing details.  

AWS and Microsoft Azure authorizations: Red Button is one of few authorized DDoS Test Partners that can carry out testing for customers hosted on these platforms. That means we have standing approval from them to carry out DDoS tests (up to a certain volume of traffic) at any time, without the need for further notifications or permissions.

Usage of legal resources: Unlike hostile attackers who use hacked and infected computers to create their DDoS botnet, as well illegal techniques such as IP spoofing, our botnet only uses legally acquired public cloud resources and dedicated, legitimate IP addresses.

Full customer control: We use clear communication channels and 100% transparency throughout test simulation to ensure that you can suspend or stop a DDoS test at any time, for any reason. 

Detailed simulation records: After the DDoS testing has been completed, you receive all the logged data and a full report on the test outcomes. This provides a complete record of the authorized attack scenarios, as well as valuable information on how they impacted your organization and its DDoS protection vendors.