Application-Layer Protection
Catch the attacks that
look like real traffic.
Layer 7 attacks use legitimate HTTP requests to overwhelm your application. They complete TCP handshakes, send valid headers, and target real endpoints. Flowtriq detects them by analyzing your web server access logs in real-time, spotting the behavioral patterns that separate floods from users.
How It Works
Access log analysis, not packet inspection
L7 attacks look normal at the packet level. A SYN flood is obvious in a packet capture, but 10,000 legitimate-looking GET requests per second from a botnet are indistinguishable from real users by looking at TCP headers alone.
Flowtriq tails your web server's access log (nginx, Apache, Caddy, LiteSpeed, HAProxy) and computes per-second behavioral stats. When the aggregate pattern deviates from baseline, an incident fires through the same pipeline as L3/L4 attacks.
| Input | Web server access log |
| Servers | nginx, Apache, Caddy, LiteSpeed, HAProxy |
| Log formats | Combined, Common, JSON |
| Analysis window | 10-second sliding window |
| Metric interval | Every 2 seconds |
| Setup | Auto-detected, one click to enable |
Detection Signals
Five behavioral signals, scored together
A single signal is not enough. Flowtriq requires multiple corroborating signals before declaring an L7 attack. This prevents false positives from traffic spikes, marketing campaigns, or legitimate bots.
Request Rate Spike
Compares current requests-per-second against an exponentially weighted baseline. A 5x spike is suspicious. A 50x spike with other signals is an attack.
IP Concentration
When a single source IP or small group generates more than 30% of all requests, it indicates a targeted flood rather than distributed legitimate traffic.
Endpoint Concentration
Legitimate traffic spreads across pages. Floods target specific endpoints. When one path receives more than 60% of requests, that path is under attack.
Error Rate Spike
As your server becomes overwhelmed, it starts returning 5xx errors or dropping connections. A sustained error rate above 50% during high traffic signals service degradation.
Setup
One checkbox. Auto-detected.
When you enable L7 detection on a node, the agent automatically scans for running web servers and locates the access log file. No manual configuration needed for standard setups.
For custom log paths or non-standard installations, you can override the auto-detected path from the dashboard. The agent handles log rotation, JSON and combined log formats, and picks up configuration changes within 5 minutes.
L7 detection runs alongside your existing L3/L4 monitoring. Both systems feed into the same incident pipeline, so your alerts, escalation policies, and integrations work for application-layer attacks exactly like they do for volumetric ones.
L7 vs L3/L4
Why you need both
L3/L4 Only
- Detects volumetric floods (SYN, UDP, ICMP)
- Misses low-and-slow attacks (Slowloris, R.U.D.Y.)
- Cannot distinguish bot HTTP requests from real users
- Blind to credential stuffing and API abuse
- Application goes down while PPS looks normal
L3/L4 + L7 (Flowtriq)
- Full-stack detection: volumetric AND application-layer
- Catches HTTP floods that complete TCP handshakes
- Identifies targeted endpoint attacks by path analysis
- Detects credential stuffing via login endpoint concentration
- Unified incident pipeline for all attack types
FAQ
Common questions
Does L7 detection require changes to my web server config?
No. The agent reads your existing access log file. It does not modify your web server configuration, inject middleware, or proxy traffic. It is read-only and runs alongside your server with no performance impact.
Which log formats are supported?
Combined log format (the default for nginx and Apache), common log format, and JSON structured logs (used by nginx json_combined and Caddy). Most standard installations work with zero configuration.
How does it handle log rotation?
The agent monitors the file inode. When the log is rotated (by logrotate or your web server), the agent detects the change and reopens the new file automatically.
Will it fire alerts for legitimate traffic spikes?
The detection engine requires at least two corroborating signals before declaring an attack. A traffic spike alone (from a marketing campaign or product launch) will not trigger an alert unless it also shows IP concentration, endpoint targeting, or elevated error rates. The baseline adapts over time as your traffic grows.
Can I use this behind a CDN or load balancer?
Yes. As long as the CDN/load balancer passes the real client IP in the access log (via X-Forwarded-For, CF-Connecting-IP, etc.), the agent will extract and analyze the correct source IPs. This is the default behavior for Cloudflare, AWS ALB, and most reverse proxy setups.
Related Features