Layer 7 attacks are harder than basic volumetric floods because the traffic often looks like normal application traffic.
The attacker is not just trying to saturate bandwidth. They are trying to make your expensive paths do work:
- session lookups
- search queries
- login flows
- rendering or cache-miss paths
That means a request can be malicious even if it is a perfectly valid HTTP request.
Why Edge Mitigation Matters
The longer a bad request survives, the more infrastructure it consumes.
That is why application-layer mitigation works best as early as possible:
- CDN or reverse proxy
- WAF
- edge middleware
- then origin
If a malformed or suspicious request can be rejected before it reaches your app servers, that is usually a huge win.
Behavior Beats Naive Identity Rules
Simple per-IP rate limiting often fails when attackers distribute traffic well.
Useful signals usually come from combinations of:
- request shape
- path targeting
- header patterns
- token or cookie expectations
- challenge success or failure
That is why behavioral controls and challenge mechanisms are often more effective than just counting requests per IP.
Do Not Forget the Product Trade-Off
Aggressive mitigation can block real users.
That is why good DDoS defense is not just "drop more traffic." It is:
- filtering cheaply
- escalating cautiously
- measuring false positives
Sometimes a challenge page is better than a hard block because it gives real browsers a path through while increasing cost for attackers.
Further Reading