The core challenge of L7 DDoS attacks is their protocol compliance. The attacker sends valid HTTP requests; each request alone looks like something a legitimate user would do. A system looking only at traffic aggregation either catches the attack late (after damage is done) or has to block legitimate traffic.
Slowloris and R.U.D.Y. push the problem to the edge. The attacker opens many half-open connections and sends a few bytes per second on each. The requests-per-second threshold never triggers; meanwhile the server's worker-thread pool fills. Classic protection doesn't see it.
Cache-busting and recursive GET attacks bypass the cache layer; each request has a different URL parameter, the cache is skipped, and the backend recalculates. Saying 'there are too many requests' isn't enough; the structural pattern of the behavior matters.
Bot DDoS campaigns come from a distributed IP pool, each source at low rate, but aggregate high error rate or targeted endpoint density. The attack doesn't appear in a single signal; it must be caught with AND/OR/NOT combinations of multiple signals.
The L7 DDoS add-on runs on behavioral scoring + combined-condition logic + adaptive actions + per-vService granularity. Instead of classic 'requests per second' thresholds, it looks at the structural attack pattern.
Not one signal — connection rate, session lifetime, request/response ratio, path density, IP reputation, bot score, and error rate evaluated simultaneously. Attack models are caught by structural pattern, not by volume.
A combined condition can be defined per vService. Example: 'high request rate AND rising SSL connections AND /api/login path density AND low IP reputation'. Not one signal — the structural attack pattern becomes the trigger.
The system observes traffic behavior, generates a baseline, and surfaces it to the operator. The operator reviews, approves, or modifies; activates as policy. As the profile evolves, Smart Learning surfaces a new suggestion.
On attack detection, the action is selected by attack model: deny (open attack), redirect (alternative path), controlled content delivery, local CAPTCHA (bot/human distinction), rate-limit. Instead of one-size-fits-all, a graduated response.
The L7 DDoS add-on handles the most sophisticated application-layer attack vectors inside the WAAP policy chain.
An attacker sends thousands of real-looking HTTP requests per second. Request rate alone can resemble legitimate campaign traffic. TR7's behavioral scoring engine evaluates request rate together with session lifetime, IP reputation, and target path density; once the structural attack pattern is recognized, action applies.
An attacker opens many half-open HTTP connections, sending only a few bytes per second on each. The requests-per-second threshold never triggers. TR7 evaluates abnormal session lifetime + low request/response ratio + high active connections together; attack connections are filtered.
The attacker starts a POST request; Content-Length is declared large but the body arrives at 1 byte per second. Worker threads wait for hours. TR7 catches slow-body senders through Content-Length inconsistency and thread wait time.
The attacker adds a different URL parameter to each request; the cache is bypassed and the backend recalculates every request. TR7 observes cache hit/miss ratio and URL parameter diversity behavior; when the cache-busting structural pattern is caught, action applies.
The attacker sequentially hits all sub-URLs of a large page to exhaust the backend. The behavioral engine catches the recursive pattern — sequential high-density requests from the same session + consistent user-agent.
The attacker sends low-rate requests from thousands of IPs; the aggregate shows a structural pattern, but each IP looks ordinary. TR7 catches the bot pool via combined conditions of IP reputation + bot score + path density; graduated action (CAPTCHA → block) applies.
The attacker sends a compromised credential list to the login form from distributed IPs. High 4xx error rate + login path density + IP reputation + distributed source evaluated together; the attack wave is stopped at its start.
Bots targeting modern APIs send human-like-rate requests. Bot detection from a single connection signal is hard. TR7 catches structural bots via combined evaluation of bot score + behavioral fingerprint + path density.
When an attack is structurally recognized, local CAPTCHA challenge can trigger. It runs as part of the TR7 platform; no third-party reCAPTCHA or similar service required. Data locality preserved.
Each application service has a different traffic profile; separate behavioral baseline and mitigation policy per vService. An attack on one vService doesn't affect another; one vService's normal traffic might resemble another's attack profile. Capacity tiers: 1, 10, 25, 100, 1000 vServices, or Unlimited Protection.
The L7 DDoS add-on offers an integrated operational model: behavioral scoring + ddosCond combined conditions + Smart Learning + adaptive action + audit trail.
Smart Learning observes traffic behavior, generates a per-vService baseline, and surfaces it to the operator. The operator reviews, approves, or modifies; activates as policy. As the profile evolves, a new suggestion is surfaced.
Behavior signals can be combined with AND/OR/NOT. Connection rate, session lifetime, request/response ratio, path density, HTTP method distribution, body-size behavior, IP reputation, bot score, error rate — all are input to condition definition.
deny, redirect, content delivery, local CAPTCHA, rate-limit. By attack model, the operator can define a graduated action: first threshold CAPTCHA, second threshold rate-limit, third threshold block.
L7 DDoS ddosCond conditions run inside the same WAAP policy chain. Bot management scores and API attack context feed ddosCond as input; on attack detection, events flow into the same audit chain as WAAP attack reporting.
Runs as part of the TR7 platform. No third-party reCAPTCHA or similar SaaS service required; client data doesn't flow to another cloud. Visual, numeric, behavioral challenge options.
Each detected attack, action taken, source IP-pool geography, target vService, and duration are written to the audit trail. If the L7 Reporting add-on is enabled, it visualizes in the dashboard; if SIEM streaming is configured, it flows to the enterprise SIEM.
An attacker opens 5,000 half-open connections; each receives 2 bytes per second. The requests-per-second threshold never triggers but the server's worker pool fills. TR7 catches the combined condition of abnormal session lifetime + low request/response ratio; attack connections are filtered, legitimate users remain visible.
An attacker sends compromised credentials from 50,000 IPs to the login form. Each IP runs at 1-2 requests per second; a single IP profile doesn't reveal the botnet. ddosCond: high 4xx rate AND login path density AND low IP reputation → graduated action (CAPTCHA → block).
An AI-agent-driven attacker sends human-like-rate requests to API endpoints. Bot detection from a single connection signal is hard. The combined evaluation of bot score + behavioral fingerprint + path density catches the AI agent's structural pattern; rate-limit or local CAPTCHA applies.
On the launch of an e-commerce campaign, traffic spikes 10x. A static threshold either white-pages the site or blocks legitimate traffic, costing business. TR7 Smart Learning has learned the campaign-day expectation too (weekly cycle); the threshold is dynamic. Legitimate traffic isn't affected; bot/attacker traffic is distinguished.
Let's see ddosCond combined conditions, Smart Learning suggestions, and the adaptive action library live in your environment — a deployment session on a pilot vService.