Layer 7 DDoS Mitigation Explained
Layer 7 attacks are dangerous precisely because each request looks like a normal visitor. Mitigating them is less about raw capacity and more about telling humans and legitimate clients apart from automated floods. This guide covers the main techniques and how to confirm they are actually filtering traffic.
Why Layer 7 is hard
A volumetric Layer 4 flood can be absorbed or scrubbed by capacity at the network edge. A Layer 7 flood is different: each HTTP request is individually cheap and well-formed, so the defender has to decide, request by request, whether it is genuine. Get it wrong and you either let attacks through or block real users.
The mitigation toolbox
Under Attack Mode (UAM) issues a silent JavaScript challenge that real browsers solve transparently while simple bots fail. CAPTCHA goes further, requiring explicit human interaction on high-risk paths. Rate limiting caps how many requests a single client may send in a window. A WAF blocks requests matching known-bad patterns, and fingerprinting or behavioural analysis scores clients on subtler signals such as TLS handshake and header order.
These are layered, not exclusive: a typical setup challenges suspicious traffic with UAM, escalates to CAPTCHA on sensitive routes, and applies rate limits as a backstop.
Verifying mitigation with a Dstat
A live Dstat is the simplest way to confirm a mitigation works. Watch the bypass series: when a challenge engages, bypass traffic should drop sharply within seconds even while total incoming requests stay high. If bypass tracks incoming, the mitigation is not filtering effectively.
The trade-off
Every layer of friction that stops bots also risks inconveniencing real users. Silent challenges (UAM) add almost no friction; interactive challenges (CAPTCHA) add the most. The art of Layer 7 defence is applying just enough friction on the right paths to drive bypass toward zero without driving customers away.
Related Live Dstat Examples (Layer 7)
- Cloudflare UAM DstatUAMFree live Cloudflare UAM Dstat: a target running Under Attack Mode — every visitor must pass a JS challenge. Watch in real time how many requests solve it.
- Cloudflare CAPTCHA DstatCAPTCHAFree live Cloudflare CAPTCHA Dstat: a target behind Cloudflare's managed challenge (Turnstile) — the hardest Layer7 filter. See what actually gets through, live.
- Cloudflare Rate Limit DstatFree live Cloudflare Rate Limit Dstat: a target with Cloudflare rate limiting rules enabled — watch how many requests survive per-IP throttling in real time.
Layer 7 mitigation — FAQ
Is Layer 7 mitigation about bandwidth?
No. Layer 7 defence is about distinguishing legitimate requests from automated ones, not absorbing raw volume — that is handled at Layer 4.
How do I know a challenge is actually working?
Open a live Dstat and watch the bypass series: an effective challenge makes bypass traffic collapse while total incoming requests stay high.
Does a CAPTCHA stop everything?
No mitigation is absolute, but interactive challenges sharply reduce automated traffic. They are usually reserved for sensitive paths because they add user friction.