Application-Layer Protection
Catch the attacks that
look like real traffic.
Layer 7 attacks use legitimate HTTP requests to overwhelm your application. They complete TCP handshakes, send valid headers, and target real endpoints. Flowtriq detects them by analyzing your web server access logs in real-time, spotting the behavioral patterns that separate floods from users.
How It Works
Access log analysis, not packet inspection
L7 attacks look normal at the packet level. A SYN flood is obvious in a packet capture, but 10,000 legitimate-looking GET requests per second from a botnet are indistinguishable from real users by looking at TCP headers alone.
Flowtriq tails your web server's access log (nginx, Apache, Caddy, LiteSpeed, HAProxy) and computes per-second behavioral stats. When the aggregate pattern deviates from baseline, an incident fires through the same pipeline as L3/L4 attacks.
| Input | Web server access log |
| Servers | nginx, Apache, Caddy, LiteSpeed, HAProxy, Tomcat, Node.js, Go, Gunicorn |
| Log formats | Combined, Common, JSON (structured) |
| Analysis window | 10-second sliding window |
| Metric interval | Every 2 seconds |
| Setup | Auto-detected, one click to enable |
Detection Signals
Eight behavioral signals, scored together
A single signal is not enough. Flowtriq requires multiple corroborating signals before declaring an L7 attack. This prevents false positives from traffic spikes, marketing campaigns, or legitimate bots.
Request Rate Spike
Compares current requests-per-second against an exponentially weighted baseline. Configurable sensitivity per node with automatic baseline learning.
IP Concentration
When a single source IP or small group generates more than 30% of all requests, it indicates a targeted flood rather than distributed legitimate traffic.
Endpoint Concentration
Legitimate traffic spreads across pages. Floods target specific endpoints. When one path receives more than 60% of requests, that path is under attack.
Error Rate Anomaly
Configurable thresholds for overall error rate and separate 5xx spike detection. Backend stress shows as server errors before the flood is visible to users.
Bot User-Agent Detection
Identifies known bot frameworks (python-requests, curl, Go-http-client, nikto, sqlmap, nuclei, zgrab) by User-Agent analysis. High bot percentage is a strong flood indicator.
Threat Pattern Matching
Scans request paths for SQL injection, XSS, path traversal, Log4Shell, ShellShock, WordPress exploits, and exposed API probes. Separates reconnaissance from floods.
5xx Server Stress
Detects when your backend is failing under load. A spike in 5xx responses during elevated traffic is an early warning of application-layer resource exhaustion.
JA3 + JA4 TLS Fingerprinting
Analyzes TLS client fingerprints from PCAP captures during L7 attacks. Identifies botnets sharing identical TLS implementations across thousands of source IPs.
Setup
One checkbox. Auto-detected.
When you enable L7 detection on a node, the agent automatically scans for running web servers and locates the access log file. No manual configuration needed for standard setups.
For custom log paths or non-standard installations, you can override the auto-detected path from the dashboard. The agent handles log rotation, JSON and combined log formats, and picks up configuration changes within 5 minutes.
L7 detection runs alongside your existing L3/L4 monitoring. Both systems feed into the same incident pipeline, so your alerts, escalation policies, and integrations work for application-layer attacks exactly like they do for volumetric ones.
Attack Intelligence
Full L7 attack forensics
Every L7 incident is enriched with deep application-layer intelligence, giving you the full picture of what happened and how to respond.
Attack Subtype Classification
Automatically classifies L7 attacks into subtypes: volumetric HTTP flood, credential stuffing, web scraping, API abuse, slow-rate attacks, and single-source abuse.
User-Agent Analysis
Top User-Agents ranked by request count with bot detection. See exactly which tools and frameworks are attacking you, from python-requests to custom botnets.
L7 Source Geography
GeoIP breakdown of HTTP attack sources. Identify which countries the flood is coming from and make informed decisions about geo-blocking.
Cross-Layer Correlation
Automatically correlates L7 attack source IPs against L3/L4 incidents from the last 24 hours. Identifies multi-vector campaigns targeting your infrastructure.
Status Code Breakdown
Full HTTP status code distribution during attacks. See the ratio of 2xx, 3xx, 4xx, and 5xx responses to understand how your application handled the flood.
Configurable Thresholds
Per-node sensitivity settings (low, medium, high), custom RPS thresholds, and error rate thresholds. Tune detection for each server's traffic profile.
L7 Mitigation Rules
Auto-generate nginx and Apache rules to block User-Agents, rate-limit endpoints, deny paths, and geo-block countries during active attacks.
30-Day Metrics Archive
Full L7 metrics retention for 30 days. Analyze historical RPS trends, error rates, response times, and traffic patterns across your infrastructure.
L7 vs L3/L4
Why you need both
L3/L4 Only
- Detects volumetric floods (SYN, UDP, ICMP)
- Misses low-and-slow attacks (Slowloris, R.U.D.Y.)
- Cannot distinguish bot HTTP requests from real users
- Blind to credential stuffing and API abuse
- Application goes down while PPS looks normal
L3/L4 + L7 (Flowtriq)
- Full-stack detection: volumetric AND application-layer
- Catches HTTP floods that complete TCP handshakes
- Identifies targeted endpoint attacks by path analysis
- Detects credential stuffing, API abuse, and scraping
- User-Agent fingerprinting and bot detection
- JA3/JA4 TLS fingerprinting from PCAP captures
- Cross-layer correlation between L3/L4 and L7 attacks
- L7 mitigation rules for nginx and Apache
FAQ
Common questions
Does L7 detection require changes to my web server config?
No. The agent reads your existing access log file. It does not modify your web server configuration, inject middleware, or proxy traffic. It is read-only and runs alongside your server with no performance impact.
Which log formats are supported?
Combined log format (the default for nginx and Apache), common log format, and JSON structured logs (used by nginx json_combined and Caddy). Most standard installations work with zero configuration.
How does it handle log rotation?
The agent monitors the file inode. When the log is rotated (by logrotate or your web server), the agent detects the change and reopens the new file automatically.
Will it fire alerts for legitimate traffic spikes?
The detection engine requires at least two corroborating signals before declaring an attack. A traffic spike alone (from a marketing campaign or product launch) will not trigger an alert unless it also shows IP concentration, endpoint targeting, or elevated error rates. The baseline adapts over time as your traffic grows.
Can I use this behind a CDN or load balancer?
Yes. As long as the CDN/load balancer passes the real client IP in the access log (via X-Forwarded-For, CF-Connecting-IP, etc.), the agent will extract and analyze the correct source IPs. This is the default behavior for Cloudflare, AWS ALB, and most reverse proxy setups.
Related Features