Layer 7 protection techniques
The request-response technique – used to verify correct network behaviour from the source, this method permits traffic which proves to be “true”. Whilst effective on the network layer, on L7 it requires high level CPU power, actions and code complexity from the mitigator.
Pattern identification – used to identify repeat patterns in the traffic headers. The traffic headers are easy to parse within the network layer, however at L7 HTTP headers are loosely defined due to variable ranges and lengths. The mitigator has to separate each packet from Layer 3, Layer 4 and Layer 7 to find the pattern which, again, means more code and CPU.
Rate limit – protection based on configured traffic thresholds and responses. The fall back is blocking of all genuine requests that fall outside the predefined rate limit.
Layer 7 attacks continue to grow in complexity, but organisations keep believing that good L3 & L4 security products are enough for comprehensive protection. The websites behind CDNs and load balancers are still vulnerable to L7 attacks because those tools are simply not designed for real-time bot detection.
Organisations should have proactive monitoring and advanced alerting, an adaptive strategy and properly configured tools to better mitigate the amount of unwanted traffic.