Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

L7 / Application Layer Detection

Detect HTTP floods, credential stuffing, and application-layer abuse

What L7 Detection Covers

L7 detection operates independently from the L3/L4 PPS/BPS engine. It monitors HTTP access logs (not raw packets) and detects application-layer attacks that do not produce high PPS. A Slowloris attack at 50 requests/second can bring down a server while staying far below any PPS threshold.

L7 detection supports nginx, Apache, Caddy, LiteSpeed, HAProxy, Tomcat, Gunicorn, and any server that writes combined/CLF or JSON-format access logs.

How L7 Detection Works

  1. Log tailing: The L7 monitor tails the web server's access log file (e.g. /var/log/nginx/access.log)
  2. Request parsing: Each log line is parsed into IP, method, path, status code, response size, user-agent, response time, and HTTP version
  3. Window stats: Every tick (1 second), the monitor computes RPS, error rate, unique IPs, top paths, top IPs, bot percentage, threat pattern hits, and HTTP protocol distribution
  4. Signal evaluation: Multiple signals are checked against thresholds. At least 2 signals must fire simultaneously with 3+ unique source IPs to trigger an attack
  5. Baseline learning: RPS baseline is computed using an exponential moving average during clean traffic periods

Detection Signals

Each signal that fires adds to the signal count. An attack requires at least 2 simultaneous signals:

SignalThresholdPoints
RPS spikeCurrent RPS exceeds baseline * sensitivity multiplier+2
IP concentrationSingle IP contributes >30% of requests (and >20 total)+1
Path focusSingle path receives >60% of requests (and >30 total)+1
Error rate anomalyError rate > configured threshold (default 50%)+1
5xx spikeServer errors > 30% of requests (and >15 total)+1
Bot UA percentageKnown bot user-agents > 70% of requests+1
Threat patternsSQLi/XSS/path traversal hits > 20% of requests+1

L7 Attack Subtypes

When an L7 attack is detected, it is classified into a specific subtype:

SubtypeDetection criteria
h2_rapid_resetHTTP/2 traffic >30%, RPS >200, >20% status 499 (client closed), per-IP RPS >50. Matches CVE-2023-44487.
h2_settings_floodHTTP/2 traffic >30%, per-IP RPS >200, <20 unique IPs, RPS >500. Connection-level abuse via multiplexed streams.
h2_continuation_floodHTTP/2 traffic >30%, per-IP RPS >100, <30 unique IPs, >40% 4xx errors. Matches CVE-2024-27983.
quic_floodHTTP/3 (QUIC) traffic >30%, RPS >300, >5 unique IPs.
single_source_abuse1-2 unique IPs generating all traffic.
credential_stuffing>50% of requests to auth endpoints (/login, /signin, /oauth) with >40% error rate.
scraping>70% of requests to a single path with <20% error rate.
api_abuseTop path targets /api/ or /graphql endpoints.
slow_rateRPS <50 from >20 IPs with >60% error rate (Slowloris-like pattern).
volumetric_floodRPS >500 from >10 IPs. High-volume distributed HTTP flood.
l7_floodDefault when no specific subtype matches.

Threat Pattern Detection

The L7 engine scans request paths against known attack patterns:

PatternWhat it catches
sqliSQL injection attempts (UNION SELECT, OR 1=1, DROP TABLE)
xssCross-site scripting (<script>, javascript:, onerror=)
path_traversalDirectory traversal (../../, %2e%2e/)
rfi_lfiRemote/local file inclusion (file://, /etc/passwd, /proc/self/)
wordpressWordPress-specific probes (/wp-admin, /xmlrpc.php, /wp-login.php)
scanner_probeCommon scanner paths (/.env, /.git/, /actuator, /server-status)
shell_shockShellshock exploit attempts (() {)
log4jLog4j/Log4Shell (${jndi:, ${lower:)
api_abuseAPI endpoint probing (/graphql, /oauth/token, /api/v*/admin)
cve_exploitKnown CVE exploit paths (/cgi-bin/, /c99.php, /eval-stdin.php)

Bot User-Agent Detection

The engine maintains a regex pattern that matches known bot and attack tool user-agents: python-requests, Go-http-client, curl/, wget/, nikto, sqlmap, nmap, masscan, zgrab, nuclei, ffuf, gobuster, and others. The bot request percentage is tracked and used as a detection signal.

Configuring L7 Detection

L7 detection is configured server-side via the dashboard and pushed to the agent during config sync. You do not need to edit config.json manually.

Configuration Options

SettingDefaultDescription
enabledfalseEnable L7 monitoring
actionauto_detectauto_detect to let the agent find the web server and log path automatically
log_path(auto)Explicit path to the access log file
sensitivitymediumlow (8x multiplier, 250 min RPS), medium (5x, 150), or high (3x, 75)
rps_threshold(auto)Override the auto-calculated RPS threshold with a fixed value
error_rate_threshold50Error rate percentage above which the error rate signal fires

Auto-Detection

When action is set to auto_detect, the agent checks for running web servers (nginx, Apache, Caddy, LiteSpeed, HAProxy) using both binary version commands and process table inspection. It then probes known log paths for each server type and reports the detected configuration to the dashboard.

L7 Incidents in the Dashboard

L7 incidents appear alongside L3/L4 incidents in the incident timeline. They include:

  • Peak RPS and baseline RPS at time of detection
  • Attack subtype classification
  • Top source IPs, top targeted paths, top user-agents
  • Status code distribution
  • HTTP protocol version breakdown (HTTP/1.1, HTTP/2, HTTP/3)
  • Threat pattern hit counts
  • Detection reasons (which signals fired)

When an L7 attack occurs simultaneously with an L3/L4 attack, the L7 incident is flagged as correlated to indicate that the application-layer component may be part of a multi-layer attack.

ESC