Table of Contents
Introduction
Did you know that web applications—perhaps the very ones that are responsible for driving significant revenue for your business—are increasingly under attack? Akamai observed more than 1.1 trillion web application and API DDoS attacks in December 2024 – nearly double the monthly average from two years prior. Corero’s 2025 Threat Intelligence Report also confirms a marked increase in application layer (Layer 7) DDoS attacks including HTTP floods, API targeting, and platform-specific DDoS campaigns. These attacks raise the stakes, requiring organizations to prepare for attacks that go beyond bandwidth saturation that slow application performance to damaging attacks that break the app.
In this blog, we take a closer look at application layer DDoS attacks. We delve into their rise in popularity, their impact, and why they’re so hard to detect. We also discuss a breadth of best practices and technologies to mitigate these evolving attacks, including the latest advancements to protect organizations from their impact.
How Application Layer DDoS Attacks Work
Application layer DDoS attacks operate at the top layer of the OSI model where web services connect to users including customers, partners, and the general public. These attacks target web applications, application programming interfaces (APIs), and web servers with bogus traffic that slows connections, consumes resources, and disrupts businesses. For example:
- Slowloris attacks use partial HTTP requeststo open connections to a targeted web server, and then leaves the connections open for as long as possible without completing the request. This drains server resources, gradually slowing performance and ultimately overwhelming the target.
- Smurf attacks exploit vulnerabilities in the protocols used for communication between servers, to flood the network with a barrage of small requests that degrade service and eventually take a network offline.
The Impact of Application Layer DDoS Attacks
Application layer DDoS attacks signal a shift in DDoS attack trends. Instead of taking down infrastructure, adversaries are intent on taking down businesses by focusing on what matters most—customer experience, revenue streams, and authentication of users.
These adversaries are often platform savvy and target attacks against specific architectures, cloud workloads, web application logic, and APIs. Once networks are disabled and defenses are neutralized, the attacker can cause even more damage, including exfiltrating data and extorting funds.
Some of the most heavily targeted industries for application layer DDoS attacks include financial services organizations, telecommunication / internet service providers, and retailers. Their complex digital ecosystems create more points of exposure and potential gaps in security. They are responsible for a significant concentration of customer data, payment information, and financial transactions that threat actors are keen to exploit and profit from. And as part of critical infrastructure, when their services go down, life as we know it quickly grinds to a halt.
Detecting Application Layer DDoS Attacks
Despite the pain they create, application layer DDoS attacks are difficult to detect for various reasons.
Consume Little Bandwidth
In contrast to a network layer attack that focuses on flooding network infrastructure with traffic, these attacks are able to operate under the radar of traditional volumetric detection tools. They require less bandwidth to bring down a web service because they exploit application vulnerabilities and resource-intensive processes instead.
Mimic Legitimate User Traffic
Attackers send seemingly legitimate requests at very low volumes, often just requesting access to a single page in order to take down a service, which makes them difficult to distinguish from normal traffic. A login flood may look like a busy Monday. A shopping cart attack may look like Black Friday traffic.
Incorporate the Network Layer
Attackers sometimes conduct reconnaissance at Layer 3 and Layer 4 (network layers) prior to launching a Layer 7 attack, thus evading detection by methods that focus on application threat surfaces.
Mitigating and Protecting Against Application Layer DDoS Attacks
There are several best practices and technologies organizations can implement to mitigate application layer DDoS attacks.
Rate limits & Behavioral modeling
Incorporate user-behavior modeling and rate-limiting of incoming requests to detect high-rate, lower volume signature abuse that could be indicative of malicious traffic that is mimicking legitimate user behavior.
Monitor application-layer health
Start monitoring application-layer health alongside network traffic. Unusual load times, high error rates, or login failures could signal DDoS activity.
Web server connection limits
Set limits on the maximum number of connections that can remain open at any one time to prevent abuse and resource drain of the web server.
Load balancers
Use load balancers and failover mechanisms that distribute traffic across different servers and cloud resources to help mitigate the impact of incomplete HTTP requests and assist with continuity of service while IT teams investigate and respond.
Software updates and patching vulnerabilities
Regularly update and patch all systems and software to prevent DDoS attacks that exploit vulnerabilities in outdated software.
Response Strategies
Due to the nature of these attacks, collaborate with app dev and platform teams, not just NetOps teams, to develop coordinate response strategies.
CAPTCHAs
To help prevent fraud and abuse, use CAPTCHAs to validate if the entity trying to access a web service is a human or a bot. Deny access to any respondent suspected to be a bot.
Web Application Firewalls (WAFs)
WAFs act as a guard between web applications and the internet. Using allowlists, blocklists or a combination, WAFs filter, monitor, and block any malicious incoming HTTP/S traffic while also preventing sensitive data from leaving the application without authorization. WAFs protect against a range of application layer threats and typically include basic protection against some Layer 7 DDoS attacks.
DDoS Protection
Traditional DDoS protection focuses on mitigating threats at the network layers (Layer 3 and Layer 4), not the application layer. To avoid having another solution to manage and monitor, look for more modern solutions that integrate Layer 7 DDoS protection capabilities.
Maximize Coverage with Advanced DDoS Protection
The rise of hybrid-cloud environments and the trend of moving critical workloads back to on-prem infrastructure are increasing defense complexity. The architecture attackers are targeting is broadening, so organizations need holistic Layer 3 through Layer 7 DDoS attack protection to address multiple points of entry.
WAFs are focused on protecting web applications from malicious activity and can help detect and block behavior that may contribute to DDoS attacks at Layer 7. However, they are not designed to handle more advanced application layer DDoS attacks that sometimes begin by conducting reconnaissance at Layers 3 and 4.
On the flip side, many anti-DDoS solutions don’t innately help combat web application and API attacks because they focus on DDoS attacks at Layer 3 and 4 of the OSI model. They don’t include traffic and behavior analysis to detect multi-vector attacks that operate at Layer 7 (the application layer), where attacks that compromise web services unfold.
This is why advanced DDoS protection solutions have emerged. One of these alternatives is Corero’s SmartWall ONE™ with CORE. This proven solution provides meaningful web application and API protection for real-world threats at Layer 7 alongside full spectrum DDoS protection, from Layer 3 through Layer 7.
Advanced capabilities include adaptive analytics, threat modeling, and anti-bot capabilities to trigger sophisticated application defense and Zero Trust admission control to stop modern multi-vector attacks. With less manual work and no operational sprawl, it’s also more cost-effective.
Providing additional resiliency, an advanced DDoS protection solution like SmartWall ONE with CORE requires little manual work and maintains uninterrupted service availability even in the midst of a DDoS attack. When coupled with AI-assisted threat intelligence that continually learns from new data and adapts in real time, the solution can also react instantly to protect against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations.
Conclusion
As cloud-based platforms proliferate, threat actors have set their sights on web applications and APIs. Determined to bring organizations to their knees by cutting their web services out from under them, they use a wide range of threats to attempt to accomplish their mission. Layer 7 DDoS attacks are on the rise but so are attacks at Layers 3 and 4. And multi-vector attacks combine these points of entry.
Organizations need a solution to protect against volumetric DDoS attacks from the network edge to the application layer, and they also need a solution to protect their web services from other types of advanced threats.
Best practices and technologies like application-layer health monitoring, rate and connection limits, load balancers, software updates, CAPTCHAs, and WAFs can help. However, traditional anti-DDoS protection often falls short because it tends to focus on Layers 3 and 4.
The most effective technology to thwart these new DDoS challenges and shield web apps and APIs from additional application-layer threats is an advanced DDoS protection solution. When coupled with behavior analysis and intelligence, you’re able to stay ahead of emerging and evolving threats and defend against follow-on malicious activity including data breaches, ransomware attacks, and other threats to your operations. Organizations build resilience thanks to a breadth of coverage and zero operational lift and the ability to maintain uninterrupted service availability even during a DDoS attack.
Visit our threat intelligence research center for more information on DDoS defense in depth. Download our solution brief on our smarter approach to application protection.
