Most people picture a DDoS attack as a tidal wave of traffic — gigabits per second crashing against your servers. Layer 7 attacks are nothing like that. They look, at first glance, like normal users.
L3/L4 vs L7: The Key Difference
A volumetric (L3/L4) attack tries to exhaust your bandwidth or state tables with raw packet volume. An L7 attack sends valid HTTP requests — complete TLS handshakes, proper headers, legitimate-looking user agents — but targets endpoints that are expensive to serve: search pages, login forms, checkout APIs, database-backed routes.
- HTTP Flood: thousands of bots sending GET/POST requests per second.
- Slowloris: opening connections and sending headers slowly to tie up server threads.
- Cache-busting: appending unique query strings to bypass your CDN cache.
- Credential stuffing floods: hammering login endpoints with credential lists.
- API abuse: targeting GraphQL or REST endpoints with deeply nested queries.
Why They're Hard to Detect
Each individual request in an L7 attack is technically valid. A firewall that only looks at IP headers will pass every one of them. Detection requires behavioral analysis: is this IP sending 200 requests/second? Is this user agent pattern consistent with a real browser? Is this request pattern consistent with a real user journey?
Key signal
Legitimate users have natural variance in their request timing. Bots don't. Even well-tuned attack tools have statistical fingerprints that behavioral models can detect.
Akarguard's L7 Detection Model
- TLS fingerprinting (JA3/JA4) to identify non-browser clients.
- Request velocity and pattern analysis per IP, ASN, and user agent.
- JavaScript challenge for suspicious sessions — transparent to real browsers.
- ML-based anomaly detection trained on billions of requests per month.
- Custom rate-limit rules per endpoint, configurable via dashboard.