Sec/ops doesn't normally involve looking at live network capture snapshots all day. ("Eyes on glass" monitoring exists, but that's not for common services) You're not distracting people from spotting exfil.
Either the company has the capacity to spot traffic anomalies like that or it doesn't. If they do, you're caught. If they don't, you're only giving them a reason to look in the logs because of DDoS. If your only issue was masking the higher network throughput, you can slow down. By starting DDoS you don't know what protections will be activated - it can be "running services in this state is useless, let's kill all of them until traffic stops". Or "there's lots of traffic to/from this AS, let's just kill that route". (it was your AS)
> Sec/ops doesn't normally involve looking at live network capture snapshots all day. ("Eyes on glass" monitoring exists, but that's not for common services) You're not distracting people from spotting exfil
No, but if the people on call are being drowned in alerts because everything is down due to the DDoS, an alert saying there's anomalous traffic ( if it's even capable to detect that during a DDoS, when all traffic would be anomalous depending on infrastructure) could be easily missed.
From my experience handling on-call during DDoS, there's not much drowning in alerts. You mute alerts about things being down. Then look at ways to drop the biggest / isolated types of traffic. Then analyse what is affected and start logging the impact. I don't believe anything would be missed: security monitors would alert different people / channels than service ops, post-incident review would look at alerts raised, any weird traffic would be looked at during "isolate and kill traffic" stage.
Volume is not the only way to notify about anomalies. Poisoned data entries / canaries, outbound traffic which should never exist, unexpected DNS queries, and many others will trigger regardless of DDoS.
Either the company has the capacity to spot traffic anomalies like that or it doesn't. If they do, you're caught. If they don't, you're only giving them a reason to look in the logs because of DDoS. If your only issue was masking the higher network throughput, you can slow down. By starting DDoS you don't know what protections will be activated - it can be "running services in this state is useless, let's kill all of them until traffic stops". Or "there's lots of traffic to/from this AS, let's just kill that route". (it was your AS)