Defend against rising app-layer DDoS attacks
Improving app resilience with a three-pillar strategy
Distributed denial-of-service (DDoS) attacks have become one of the most common threats to the application layer — and those threats are growing in size. They flood servers and network resources with so many requests that they can slow down or completely crash software, bringing critical operations to a halt. Today, DDoS attacks make up a significant portion of all attacks on web application traffic. In fact, they comprise 37% of all app-layer traffic that Cloudflare deemed malicious and blocked in 2024.
Unfortunately, it is becoming easier for cybercriminals to launch app-layer DDoS attacks. They are constantly tapping into new tools and adopting new tactics to streamline their malicious work. For example, DDoS-for-hire “booster” services and AI-powered attack scripts have lowered the barrier to entry for attackers. Cybercriminals can now launch attacks more quickly and inexpensively than ever before. They are also producing larger, more sophisticated attacks, like the new, record-breaking events we’ve seen each quarter.
At the same time, cybercriminals are improving their ability to locate targets and evade detection. For example, they are getting better at using reconnaissance tactics to find vulnerable APIs. And they are using botnets to mimic actual user behavior and circumvent security tools.
Leading CIOs have made strengthening defenses against app-layer DDoS attacks a top priority. To stop these attacks, security teams first need to understand how they work, why they're so difficult to detect, and how they can impact their organization. They can then implement a strategic framework with the essential capabilities for stopping attacks and improving resilience.
Understanding evolving app-layer threats
Application-layer (or layer 7) DDoS attacks take a more focused approach than typical network DDoS attacks (layer 3 or 4). While network attacks attempt to cause widespread disruption, app-layer DDoS attacks focus on disrupting critical business workflows and services. They might target login pages, APIs, or payment gateways, attempting to disrupt a particular functionality without necessarily affecting the entire network infrastructure.
App-layer attacks are also lower-volume events than network attacks. They are designed to appear “normal” by adhering to application protocols. Attackers might create requests that appear valid, such as login attempts or search queries, to overload specific software components. The attacks might transmit small amounts of malicious traffic over a long period of time to evade detection. Low-and-slow attacks aim to overwhelm the server or database supporting the application by consuming resources like CPU cycles, memory, and database connections.
That lower-volume approach is part of what makes app-layer attacks so difficult to detect. These attacks bypass traditional network defenses that rely on traffic volume thresholds. Effective mitigation requires an adaptive strategy that analyzes traffic quality, context, and intent, moving beyond simply measuring traffic quantity.
Identifying common attack vectors and techniques
Cybercriminals use several techniques to attack the app layer. Some target different elements and vulnerabilities while others take distinct approaches to overwhelming servers. The six most common techniques are:
HTTP / HTTPS floods: These types of attacks overwhelm web servers with a high volume of HTTP GET or POST requests, consuming resources and causing a denial-of-service state for legitimate users.
DNS query floods: Attackers might flood DNS services with queries, which can cause a cascading failure effect, making all dependent software and services unreachable.
Low-and-slow attacks: These attacks, like Slowloris and R.U.D.Y., establish and maintain slow, incomplete connections with minimal bandwidth usage to exhaust server resources while evading detection.
API-specific attacks: With the rise of API-first architectures, cybercriminals are increasingly targeting specific API endpoints to take an entire service offline.
Application vulnerability exploitation: Attacks can also exploit vulnerabilities like SQL injection and cross-site scripting (XSS) to steal data or compromise systems.
Emerging techniques: Attackers continue to develop new techniques, such as the technique used in the HTTP / 2 Rapid Reset attacks a few years ago. Today, they are also using botnets that randomize mouse movement, maintain session cookies, vary request headers, and visit multiple pages on a site — all to impersonate humans and evade detection prior to an attack.
Some of these techniques blur the line between DDoS and more general app-layer tactics: They are used for data exfiltration as well as service denial. To combat these threats, organizations must integrate their DDoS defense strategy with overall app security.
Building a strategy to stop app-layer attacks
Defending against app-layer DDoS attacks requires a sophisticated, multifaceted approach that moves beyond traditional volume-based DDoS defenses. That approach should combine advanced detection, prevention and mitigation, and an adaptive security architecture.
Advanced detection
Modern detection strategies must be able to see through the mimicry used by attackers. User and entity behavior analytics (UEBA) solutions first establish a baseline of “normal” behavior through continuous monitoring of app-level traffic. These solutions then apply behavioral analytics and machine learning capabilities to identify anomalies that might indicate an attack. Real-time monitoring of app performance metrics — such as CPU utilization and memory consumption — also provide earlier indications of an attack.
Organizations should supplement these capabilities with real-time threat intelligence drawn from large, cloud-based global networks. Teams can also preemptively identify and block malicious IP addresses or botnets using web application firewalls (WAFs).
Prevention and mitigation
Beyond detection, organizations should implement a variety of prevention and mitigation tactics to enhance software resiliency. For example, intelligent rate limiting prevents excessive requests from exhausting resources. WAFs filter and block malicious traffic, while API security gateways filter malicious API calls. A zero trust model reduces the attack surface and controls access to apps even if user credentials are compromised.
To mitigate attacks, organizations can implement a content delivery network (CDN), which distributes application content globally, absorbing attack traffic at the network edge and reducing outages. Load balancing distributes traffic across multiple servers to prevent any single server from being overwhelmed while auto-scaling dynamically allocates resources based on traffic demands, ensuring adequate capacity during attacks.
Adaptive security architecture
Attackers are not standing still. They continue to develop new techniques and adopt new tools that help them evade defenses. Organizations need an adaptive security architecture that can learn from these evolving threats and then predict and respond to attacks autonomously.
Threat intelligence is critical to DDoS resilience — it can transform defense from reactive to predictive. By processing data on global attack patterns, threat intelligence services allow organizations to anticipate emerging vectors (like new amplification techniques or hacktivist campaigns) and proactively harden their defenses. This intelligence provides real-time lists of malicious IPs for immediate blocking, informs precise rate-limiting policies, and ensures that security teams can quickly distinguish disruptive DDoS noise from targeted data theft, enabling a focused and effective response that protects both service availability and core data integrity.
AI and machine learning (ML) will be an essential component of that adaptive architecture. AI- and ML-based tools analyze vast amounts of network data to identify subtle attack patterns and anomalies that traditional systems might miss. They also learn from each new attack, applying new policies or rules to mitigate threats in seconds.
Security teams must also implement agile processes. Establishing an incident response plan and conducting realistic DDoS simulations are crucial for identifying vulnerabilities and validating mitigation procedures. Those plans and simulations must evolve as attackers change their techniques and organizations identify application vulnerabilities.
Stopping app-layer DDoS attacks
Cloudflare’s connectivity cloud offers a full range of cloud-native services for defending against DDoS attacks, including those that target your app layer. For example, DDoS protection takes advantage of Cloudflare’s 449 Tbps Tbps of network capacity to mitigate even the largest DDoS attacks without slowing app performance. ML-based UEBA capabilities enable you to detect unusual behavior that signals a threat, while the WAF service stops real-time attacks. Because these and other capabilities are fully integrated into a single platform, your team can stop app-layer attacks and enhance resilience without adding complexity.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how to protect your organization from DDoS attacks targeting the application layer and the network in the 5 critical considerations for mitigating DDoS attacks ebook.
Author
Gregory Van den Top – @gregoryvdtop
Field CSO, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
The latest app-layer DDoS vectors and techniques
Why app-layer attacks are difficult to detect
How to build a three-pillar strategy for defending against DDoS attacks