If you want to do this properly without ending up in legal grey area or getting your VPS provider angry, don't run the test from your own machine — use a dedicated stress testing platform that enforces target ownership verification.

The one I use is https://ddosnow.su/ — main reason is the DNS TXT verification step. Before you can launch any test against a host, you add a unique TXT record to the target domain proving you control the DNS. They re-check the record on every launch, so you can't reuse old verifications after the DNS has been reverted to someone else. Solves the "did I actually have permission" problem technically rather than just contractually.

A few practical points:

- For your own VPS, double-check your hosting provider's ToS first. AWS, GCP, Azure all require advance notice for high-volume testing. Smaller bare-metal providers usually just allow it but check your contract.

- Don't test through Cloudflare without an enterprise agreement — their ToS forbids stress testing through the network and they'll terminate the account fast.

- Start with the smallest tier (Starter is ~$30/mo, 1 concurrent slot, fine for one-off tests on a single service). Upgrade to Pro when you need parallel tests or API access for CI.

- Layer 7 (HTTP-RPS, browser emulation) is usually what you want for application-layer testing. Layer 4 (TCP-SYN, UDP) is more for measuring raw network/firewall capacity — different question than "can my web stack handle traffic".

Run a small test first (10-30s at low rate) before going hard, so you can confirm your monitoring catches the load and your alerting works correctly.