An open standard for measuring DDoS resilience
The Open Protection Index (OPI) is a vendor-neutral, open standard for measuring how well a website or application can withstand DDoS attacks. It provides a comprehensive score (0-100) based on six key components:
| Component | Weight | What It Measures |
|---|---|---|
| Defense Coverage | 20% | CDN, WAF, origin protection |
| L7 Attack Resilience | 25% | HTTP flood, Slowloris, cache bypass |
| L3/L4 Resilience | 15% | SYN/UDP floods, network attacks |
| Protocol Resilience | 15% | HTTP/2, HTTP/3/QUIC vulnerabilities |
| Operational Resilience | 15% | Availability, latency during attacks |
| Evasion Resistance | 10% | JA3 rotation, behavioral detection |
| Score | Grade | Meaning |
|---|---|---|
| 90-100 | A | Excellent - Enterprise-grade protection |
| 80-89 | B | Good - Solid defenses with minor gaps |
| 70-79 | C | Adequate - Basic protection, some risks |
| 60-69 | D | Poor - Major vulnerabilities |
| 0-59 | F | Critical - Minimal to no protection |
Existing DDoS resilience metrics are:
- Proprietary - Tied to specific vendors
- Incomplete - Missing modern attack vectors (HTTP/2 Rapid Reset, QUIC)
- Outdated - Still testing obsolete attacks (Ping of Death)
- Non-comparable - Different methodologies prevent comparison
OPI is:
- Open - Free to use, implement, and modify
- Comprehensive - Covers L3-L7, all modern protocols
- Vendor-neutral - Works with any protection solution
- Reproducible - Same inputs = same scores
The full specification is in SPEC.md.
# Example using the reference implementation
pip install opi-scanner
# Run basic assessment
opi-scan --target example.com
# Run full assessment with attack testing (requires authorization!)
opi-scan --target example.com --mode full --intensity labSee IMPLEMENTING.md for guidance on creating OPI-conformant tools.
- SPEC.md - Full specification document
- CHANGELOG.md - Version history
- FAQ.md - Frequently asked questions
| Implementation | Language | Maintainer | Status |
|---|---|---|---|
| DDactic OPI Scanner | Python | DDactic | Reference |
| Your implementation here | - | - | - |
Want to add your implementation? Open a PR!
We welcome contributions! See CONTRIBUTING.md for guidelines.
Ways to contribute:
- Report issues - Found a problem? Open an issue
- Suggest improvements - Ideas for the spec? Start a discussion
- Add implementations - Built an OPI tool? Let us know
- Review PRs - Help review proposed changes
OPI is maintained by:
- DDactic (Founding organization)
- Technical Steering Committee (TSC) - Coming soon
Major specification changes require:
- Public RFC period (60 days)
- TSC review and approval
- Community feedback incorporation
This specification is licensed under Apache License 2.0.
You are free to:
- Use the specification commercially
- Implement OPI in proprietary software
- Modify and distribute the specification
- Use the "OPI" name for conformant implementations
- GitHub Issues: For bugs and feature requests
- Discussions: For questions and ideas
- Email: opi@ddactic.net
Open Protection Index - Measure what matters.
Founded by DDactic | An open standard for the security community