Application layer (Layer 7) attacks target web application logic — Slowloris (holds connections open with partial HTTP requests), HTTP floods, Slow POST. Hard to distinguish from legitimate traffic.
Layer 7 attacks require fewer packets than volumetric attacks. Harder to mitigate because traffic looks legitimate. Defenses: connection rate limiting, CAPTCHA, behavioral analysis, WAF, CDN with bot mitigation.