How to Detect Layer 7 DDoS Attacks on Hosting Infrastructure

Why layer 7 DDoS attacks are different

Volumetric DDoS attacks flood a target with more packets or bytes than the network can carry. They are detectable by measuring traffic rates against baselines. Layer 7 (application layer) attacks work differently: they send traffic that looks legitimate at the network level but exhausts server resources through application logic.

An HTTP flood sending 50,000 requests per second against a web server may generate only 200-500 Mbps of traffic, well below the thresholds that trigger volumetric DDoS detection. But if each request causes the server to query a database, render a template, and transmit a response, 50,000 req/s will saturate CPU and memory without saturating the network link.

For hosting providers, this creates a specific challenge: a customer's server is under attack and offline, but your network monitoring shows nothing unusual.

Common layer 7 attack patterns against hosting infrastructure

HTTP GET floods

The simplest form: high-volume requests for static or dynamic resources. Often targeted at the heaviest pages (homepage, product listings, search results) to maximize server processing load per request. Detection signal: request rate per second to a specific path or domain far exceeds baseline.

Slowloris and slow POST attacks

These attacks do not require high request rates. Slowloris opens many HTTP connections and sends headers extremely slowly, keeping each connection open without completing the request. The server allocates a thread or process per connection. With enough open connections, the server exhausts its connection pool and stops accepting new requests. Detection signal: high number of concurrent connections in CLOSE_WAIT or ESTABLISHED state, very low request completion rate.

SSL/TLS handshake exhaustion

TLS handshakes are CPU-intensive on the server side. An attacker repeatedly initiates TLS connections and drops them immediately after the server completes the expensive handshake work. Detection signal: high TLS handshake rate with low session reuse, elevated CPU on TLS termination layer.

Cache-busting attacks

Attackers append random query strings to URLs (/?x=randomstring) to bypass CDN caches and force every request to hit the origin server. What would otherwise be cached traffic becomes direct origin hits at scale. Detection signal: high volume of requests with unique query strings, low CDN hit rate, elevated origin server load.

API abuse

High-cost API endpoints are targeted specifically because they trigger expensive operations (database queries, external API calls, image processing). Detection signal: disproportionate load relative to request volume on specific API paths.

Why volumetric detection tools miss layer 7 attacks

NetFlow-based tools like FastNetMon and Wanguard see IP packets, not HTTP requests. A properly-formed HTTP request looks identical to legitimate traffic at the IP layer. The tools cannot inspect the HTTP method, URL, headers, or response codes without application-layer visibility.

Even node-level packet analysis tools configured purely for volumetric detection will miss layer 7 attacks unless they are configured to track application-layer metrics alongside traffic rates.

Detection approaches for layer 7 attacks

Web server access log analysis

The most reliable data source for HTTP floods is the web server access log. Parse logs in real time for:

• Request rate per source IP (normal: under 10/s; attack: 100-10,000/s)
• Request rate to a specific URL path
• Error rate (4xx responses often spike during attacks as attackers hit non-existent paths)
• User-agent distribution (attack traffic often uses a single user-agent or rotates through small sets)
• Referer distribution (legitimate traffic has diverse referers; flood traffic often has none or a single value)

Tools: GoAccess for real-time log analysis, Fail2Ban for automated blocking, Nginx's built-in limit_req module for request rate limiting.

Connection state monitoring

For Slowloris and connection flood detection, monitor TCP connection states:

ss -s                    # connection state summary
ss -o state SYN-RECV    # open SYN-RECV connections (SYN flood indicator)
netstat -an | grep ESTABLISHED | wc -l   # total established connections

Configure alerts when ESTABLISHED connections per IP exceed a threshold (e.g., more than 100 concurrent connections from a single IP to port 80/443).

Application-level rate limiting at the reverse proxy

Nginx and HAProxy both support request rate limiting by source IP, URI, and other attributes. These operate before the application server processes the request, so they protect against attacks that would otherwise exhaust application resources:

limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;
limit_req zone=api burst=200 nodelay;

This limits each source IP to 100 requests per second with a burst of 200. Adjust based on your application's expected traffic patterns.

Fingerprint-based detection

Layer 7 attacks often share detectable fingerprints: identical user-agents, specific TLS cipher suite combinations, common header patterns, or payload signatures. Tools like ModSecurity (WAF) and Cloudflare's bot management use fingerprinting to identify attack traffic that passes rate limit thresholds by distributing load across many source IPs.

Automated response for layer 7 attacks

Unlike volumetric attacks where BGP null-routing is a viable response, layer 7 attacks require application-aware blocking. The response options in order of precision:

1. Nginx/HAProxy rate limits: Lowest cost, fires immediately, but does not distinguish attack IPs from legitimate users who happen to be active at the same time.
2. iptables blocks per source IP: Blocks specific attacking IPs at the kernel level. Effective against single-source attacks. Ineffective against distributed attacks with large numbers of source IPs.
3. CAPTCHA challenges: Challenge suspicious IPs with a CAPTCHA before allowing access. Effective against simple bots, ineffective against browser-based botnets that can solve CAPTCHAs.
4. Upstream WAF or CDN scrubbing: Route traffic through a WAF (Cloudflare, AWS WAF, Fastly) that applies fingerprinting and behavioral analysis at scale. Most appropriate for persistent, sophisticated layer 7 attacks.

Combining volumetric and layer 7 detection for hosting

The complete detection stack for a hosting provider handles both attack categories without overlap confusion:

• Node-level volumetric detection (Flowtriq) fires on traffic rate anomalies at the IP/port level within 1 second.
• Web server log analysis (Fail2Ban, custom scripts) detects HTTP-layer patterns and auto-blocks attacking IPs.
• Application-level rate limiting (Nginx limit_req) absorbs request spikes before they exhaust backend resources.
• Upstream WAF handles sophisticated distributed attacks that evade per-IP blocking.

Each layer catches what the others miss. None of them alone covers the full attack surface.

Back to Blog