My DDoS Protection Looked Solid Until I Actually Tested It" published

A few months ago I got tired of operating on blind confidence. My server had Cloudflare in front of it, rate limiting configured, fail2ban running — all the standard stuff. I'd set it up following guides, felt like I knew what I was doing, and proceeded to never actually verify any of it worked. Then a colleague asked me a simple question: when did you last test this under real load? Not synthetic one-machine benchmarks — actual load, from multiple sources, the kind of traffic that looks like a real flood? I had no good answer. So I went and found out. The testing part took an afternoon. The aftermath took two weeks and left me with more questions than answers. The Setup I Was "Confident" About Let me describe what I was running, because I think it's a pretty typical production setup: VPS on DigitalOcean, nginx as the web server Cloudflare proxy in front, orange cloud enabled Rate limiting rules in nginx fail2ban watching logs and banning repeat offenders Standard WAF ruleset Redis cac