How Layer 7 DDoS Attacks Work

Most people picture a DDoS attack as a tidal wave of raw bandwidth. That's a Layer 3/4 (volumetric) attack. Layer 7 attacks are sneakier: they attack the application itself, using requests that look completely legitimate.

Layers 3/4 vs Layer 7

Volumetric attacks try to saturate your network pipe: UDP floods, amplification, SYN floods. They're loud and measured in gigabits or terabits per second. Layer 7 attacks, by contrast, are measured in requests per second, and the traffic is valid HTTP.

• HTTP flood: thousands of GET/POST requests to expensive endpoints (search, login, checkout).
• Cache-busting: appending random query strings so every request misses your CDN cache and hits origin.
• Slowloris: opening many connections and trickling bytes to exhaust the server's connection pool.

Why they're hard to stop

Each individual request looks like a real user. There's no malformed packet to drop, no obvious signature. The damage comes from volume aimed at your most CPU- or database-heavy paths. A few thousand requests per second to a search endpoint can take down an app that shrugs off a 100 Gbps flood.

How to defend

• Behavioral scoring: fingerprint clients on TLS, header order, and timing to separate humans from bots.
• Rate limiting: cap requests per IP, token, and route at the edge before they reach origin.
• Graduated challenges: serve JS challenges or proof-of-work to suspicious clients only.

Karbon runs all three inline as a reverse proxy, so Layer 7 floods are scored and shed at the edge. See our DDoS protection page for the full picture.