Layer 7 DDoS: When 16 million sessions hit a server per minute

Many people still think of DDoS attacks as pure volume battles, so when there is talk of terabit peaks, overloaded backbones, and massive bandwidth battles, they sit up and take notice. However, attacks can also take place in other dimensions, but the consequences can still be just as serious. 

A recent example shows how precisely Layer 7 DDoS attacks (also known as application layer attacks) are orchestrated today. This was not a case of hours of continuous load or record volumes, but rather the targeted paralysis of a web application through massive parallel sessions. 

Small but powerful 

The attack began inconspicuously. There was no unusual increase in the backbone and no overload of the lines. It was only when the web servers were analyzed that it became clear something was wrong. 

• Within a few minutes, around 580 million HTTP requests were fired at a single domain. 

• At times, up to 16 million sessions were established in parallel per minute.  

• Around 1,000 different IP addresses were involved, which together generated a highly distributed attack. 

• The requests were standardized HTTP GET requests—simple, but overwhelming in their sheer volume. 

The result: The application came under massive pressure—not because of the bandwidth, but because of the overload of CPU, memory, and session handling. 

How the attack worked

While volumetric attacks primarily “clog the pipes,” a Layer 7 attack targets the application layer. Here, it is sufficient to send millions of seemingly legitimate requests within a short period of time. Web servers have to process each of these requests and quickly reach their limits. 

Particularly striking in this case was that: 

• The attack was limited to the root domain, not to deeper directories or APIs. 

• The requests themselves looked “normal” to outsiders. They were not exotic protocols or faulty requests, but regular GET calls. 

• More than 102 million bot requests were detected and blocked. 

This highlights the particular danger: such attacks are difficult to distinguish from regular user behavior. 

Real-time defense

The response of the protection systems was crucial. The Web Application Firewall (WAF) detected anomalies early on. Several security rules were triggered simultaneously, such as: 

• Unusually high request rates per IP 

• Parallel sessions in unusual density 

• Access patterns that did not correspond to human behavior 

As soon as a source was classified as suspicious, an additional block was activated at Layer 3. This prevented further malicious traffic from this IP range from even reaching the application layer. In addition, the systems implemented a kind of “quarantine” in which attacker IP addresses classified as suspicious were automatically added to a block list. 

The result: Although the attack was able to generate load in the short term, it was increasingly diverted into a dead end as it progressed. 

A learning botnet

The adaptability of the botnet was particularly interesting. New IP addresses appeared continuously during the attack. As soon as one group was blocked, the next was reloaded. This behavior indicates automated control with a globally distributed infrastructure. 

In other words, this was not a static botnet that would have fizzled out after a few minutes. Rather, it was a highly flexible attack tool that was able to respond to defensive measures. 

Why Layer 7 attacks are so dangerous 

Volumetric attacks are usually easy to detect. Bandwidth explodes, routers and switches sound the alarm. Application layer attacks, on the other hand, often operate below this threshold. They exploit weaknesses in the application itself. 

The main risks are: 

• Deceptively real: The requests resemble normal user requests. 

• Resource-intensive: Every single request takes up server capacity. 

• Difficult to detect: Classic network filters often fail to catch them. 

Companies that are heavily dependent on their web presence — such as those in the e-commerce, gaming, or digital platform sectors — are particularly at risk of even short attacks that lead to noticeable outages and lost revenue. 

Lessons learned from the attack

This incident makes it clear that modern DDoS attackers do not necessarily have to rely on sheer size. Precision beats volume. With relatively few resources—in this case, fewer than 1,000 IP addresses—it’s possible to cause massive damage if the attack tactics are chosen wisely. 

Key findings: 

• Early anomaly detection is crucial for stopping Layer 7 attacks in time. 

• Automated defense must be adaptive and able to adjust to changing patterns. 

• Multi-layered defense — from the backbone to the application — is necessary to close gaps. 

Conclusion

DDoS attacks have long been more than just a race for the highest bandwidth. Today, the danger lies primarily in the combination of technical sophistication and targeted attacks on applications. A Layer 7 attack has shown how serious even “invisible” attacks can be when millions of sessions are established within minutes without any regular user purpose. 

Anyone who wants to protect their services must think defensively in depth: not only fending off gigabit attacks, but also understanding patterns, analyzing behavior, and responding flexibly. This is the only way to effectively defend against highly sophisticated attacks such as these. 

Contact us now >>

Share this post