Site icon FastNetMon DDoS Detection Tool

Understanding Application-Layer & Low-and-Slow DDoS Attacks

Application-layer and “low-and-slow” DDoS attacks explained by DDoS defence professionals

Application-layer (L7) and “low-and-slow” DDoS attacks are among the most insidious forms of denial-of-service threats. Rather than saturating bandwidth, they burn server CPU, memory, and database resources by forcing expensive operations—TLS handshakes, header decompression, routing, authentication, or cache misses—while looking deceptively like normal client traffic. This article explains how these attacks work, the modern vectors (HTTP/2, HTTP/3, GraphQL, gRPC, WebSockets), and how defenders can detect and mitigate them.

This article is part of our ongoing series on DDoS classification. If you’re new here, start with our DDoS taxonomy to see how L7 attacks fit within the wider threat landscape.

What Are Application-Layer & Low-and-Slow Attacks?

Application-layer DDoS attacks operate at Layer 7 of the OSI model, targeting the actual applications and APIs that users rely on. Unlike volumetric attacks, their aim is to force disproportionate work on servers, proxies, and databases.

The unifying theme is cost asymmetry: attackers expend little bandwidth or CPU, while defenders spend far more per request or connection.

What makes application layer attacks dangerous?

Common Attack Vectors and Their Impact

Below we summarise common application-layer and low-and-slow attack vectors, their mechanics, peak observations, and primary targets.

Attack TypeLayerDescriptionNotable Peak ImpactResource Targeted
HTTP GET/POST Flood with Cache-Busting7Random query strings/headers force cache misses, driving load to origin10M+ rps seen at CDNsOrigin CPU, DB/cache
HTTP/2 Rapid Reset (CVE-2023-44487)7Opens many streams then cancels with RST_STREAM, overwhelming state machines201–398M rps (2023)Proxy thread pools, CPU
Slowloris / RUDY7Dribbles partial headers/bodies just above timeout thresholdsEffective <1 MbpsSockets, worker threads
GraphQL Deep Recursion7Nested/aliased queries explode resolver and DB workExploitable at low RPSDB pools, CPU
WebSocket Floods7Many concurrent upgrades plus idle/junk frames1M+ concurrent conns possibleSockets, memory
gRPC Ping/Metadata Abuse7Excessive keepalives, SETTINGS, metadata churnReported since 2019Thread pools, per-conn streams
Login Spray / Credential Stuffing7Distributed low-rate auth attempts bypass per-IP limitsWidely reportedAuth CPU, DB, session store
Prefix Scatter (Carpet Bombing at L7)7Spreads small RPS across many endpointsOngoing (2024–2025)Endpoint budgets, detection systems

How These Attacks Work: Floods vs. Low-and-Slow

Real-World Examples

Key Differences: L7 Floods vs. Low-and-Slow

Although both application-layer floods and low-and-slow techniques target Layer 7, they differ significantly in how they apply pressure on infrastructure. The table below highlights the main contrasts.

AspectFloodsLow-and-Slow
Primary TargetApplication endpoints, APIsConnections, sockets, threads
Attack MechanismHigh RPS, cache-busting, stream churnLong-lived idle/slow connections
Traffic VolumeModerate to very highVery low bandwidth
Detection DifficultyHigh (mimics clients)High (low traffic signature)
Resource ImpactCPU, DB, cache, proxy poolsFile descriptors, memory, worker threads

Mitigation Strategies for Application-Layer & Low-and-Slow Attacks

Defending against L7 and low-and-slow attacks is very different from handling volumetric floods. These threats don’t just overwhelm pipes; they exploit how your applications and infrastructure are built. That means the right defence strategy depends heavily on your own environment—your CDN setup, reverse proxies, application servers, APIs, and databases.

In this chapter, we’ll highlight the main defensive methodologies available. Not all will apply to every stack, but together they form a comprehensive toolbox. The best results come from layering these measures across the edge, proxy, application, and backend.

1. Edge, CDN, and WAF Protections

The edge is your first line of defence, filtering and rate-limiting traffic before it hits origin servers.

2. Reverse Proxy and HTTP Server Hardening

Tuning your reverse proxies and web servers helps cut off abusive connections early.

3. Application- and API-Specific Safeguards

Different application protocols have unique risks that need targeted countermeasures.

4. Backend and Database Resilience

Even with strong edge and application defences, some traffic will hit your backends. Resilience here prevents total collapse.

5. Operational Playbook

Finally, effective defence means preparation and practice.

Conclusion

Application-layer and low-and-slow attacks are complex and highly infrastructure-dependent. The right mix of mitigations will differ between, say, an e-commerce platform with dynamic cart endpoints and a gaming backend running WebSockets. The goal is to build layered defences: edge filtering and bot management, proxy and server tuning, protocol-specific safeguards, and backend guardrails. When combined, these controls give you a realistic chance of withstanding attacks that bandwidth-only tools can’t stop.

For a full understanding of DDoS attack types and defence strategies, continue reading our full DDoS taxonomy.


About FastNetMon

FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.

For more information, visit https://fastnetmon.com

Exit mobile version