You're not stuck building from scratch.
ddosnow.su handles exactly this — their L7 methods include full browser emulation, not just packet-level HTTP flood. You can configure cookies, custom headers, form input, multiple click/scroll steps, per-step delays, even custom user agents.
The setup that worked for me: I had a Cloudflare-style WAF filtering anything without proper TLS fingerprints and realistic header sets. Their TLS-HEADLINE method specifically handles TLS fingerprint variation, and the browser emulation paths send headers in the order real browsers send them (which matters more than people realize — Chrome's header order is detectable as "real" vs "curl-like" pretty trivially).
Other layer 7 methods they cover:
- HTTP-RPS — high-rate raw HTTP/HTTPS, good for measuring backend handler capacity
- TLS-HEADLINE — fingerprint-aware, bypasses TLS-based filtering
- GO-SATURN — sustained connection-heavy load
- SILK-BYPASS — specifically for CDN/WAF bypass scenarios (useful for testing your own WAF rules end-to-end)
- Standard browser emulation — Selenium-style with cookies, headers, form input, scroll, per-step delays
REST API supports passing all parameters per-task so you can script different scenarios into CI. Per-task audit logs capture exactly what was sent, useful when you're tuning WAF rules against the test traffic.
DNS TXT target verification is mandatory before any test launches, so this is all scoped to infrastructure you actually control. No risk of accidentally hitting upstream or a neighbor tenant.
