As a website operator you’ve probably heard vendors, including Incapsula, mention the benefits of layer 7 visibility. However, you may not have ever received a clear explanation as to why it is important to your organization.

In this post, we’ll go beyond buzzwords and delve into the advantages of layer 7 visibility as a DevOps tool used for load balancing and DDoS mitigation.

Defining Layer 7 Visibility

To lay the groundwork, let’s start with some core definitions. In the OSI network model, layer 7 (a.k.a. “application layer”) refers to the top communication layer, supporting applications and end-user processes.

In the context of this discussion it’s important to know that solutions with layer 7 presence are able to gain additional insights about an end-user and an application request, and can also directly interact with the request—such as sending cookies or presenting a CAPTCHA challenge.

It should be noted that most traditional traffic distribution solutions are limited to layers 3 (network) and 4 (transport) visibility. This is simply because they’re focused on traffic routing—not traffic analysis.

As a result, information provided by such a solution is limited to basic attributes, such as source and destination IPs, protocol types, and the number of active connections. These must be known in order to route network packets, but they offer no data about the packets’ actual payload.

Layer 7 visibility, on the other hand, refers to the ability to gain granular insights by looking at such factors as client type, request destination (down to individual URL), number of consecutive requests, and more.

To get a better idea of the differences here, imagine a phone connection between two parties:

  • Network-level visibility is akin to knowing that a phone connection has been established between one party in the U.S. and a second in Germany.
  • Application-level visibility is knowing that the call has been initiated by Joe in Boston, who is contacting a call center in Munich. The call has lasted 30 minutes and Joe has successfully navigated an organization’s interactive voice response (IVR) menu.

In this example, it is apparent how much more layer 7 visibility brings to the table.

At layers 3/4, you know how the call was connected, but little else. The application layer, conversely, provides lots of detailed information and context to Joe’s call, helping understanding not only how, but also why it should be connected.

Why Layer 7 Visibility Is Crucial for DDoS Mitigation

Effective DDoS mitigation is all about accurate filtering of malicious DDoS traffic, without impacting your legitimate visitors. Layer 7 visibility does exactly that by offering granular information to a security solution, which differentiates between legitimate users from malicious DDoS bots.

Returning to the phone example, that Joe was able to navigate the IVR menu provides a solid indication that he is human, rather than an auto-dialer.

This is the type of information valued by intellegent DDoS filtering solutions, where a visitors’ behavior is instantly scrutinized and various challenges can be imposed to determine true identity.

Incapsula’s 2014 Global Bot Traffic Report reveals that 22% of all website visitors are impersonator bots- those that assume a false identity in order to circumvent security measures.

Most commonly, a malicious bot forges an HTTP fingerprint and, in some cases, even some browser-like capabilities (e.g., the ability to retain cookies). It is only by leveraging layer 7 visibility that a security system can ‘hang up’ on the impersonators, without disturbing real callers.

Mitigating a headless-browser DDoS attack

Mitigating a headless-browser DDoS attack (690,000,000+ hits per day)

Why Layer 7 Visibility Is Important for Load Balancing

In a load balancing context, layer 7 visibility helps your organization understand the exact load being transferred—critical information for all traffic distribution decisions.

In the phone example, knowing that Joe’s call is expected to last 30 minutes might be useful in determining which call center operator should handle his call.

Similarly, application layer visibility lets your system assess each server’s response time and then use this data as an indication of availability. The result is optimal load distribution, as opposed to hit or miss alternatives (e.g., randomized round-robin).

Layer 7 visibility is also useful for server health checks. While you can always ping a server to determine if it’s online, receiving a response is no indication of its actual status.

With a layer 7 failover solution, you’re able to devise a more accurate health check process. For example, you can set one up to monitor a specific URL that shows if the application’s database is up and running.

Layer 7 Visibility - Load Balancing

With layer 7 visibility you have live control over server load distribution

Drawing on Our WAF Origins

Many existing load balancing and DDoS protection solutions don’t offer layer 7 visibility. This is because they’re deployed in a manner requiring them to accept large volumes of traffic they’re unable to effectively inspect at an inline rate.

However, such visibility is a core requirement for all web application firewalls (WAFs).

As it expanded into other key application delivery areas, Incapsula- which started out as a cloud-based WAF platform- has preserved and built upon its traffic inspection capabilities. Today, these augments all of our offerings: from DDoS protection to load management and server failover. Layer 7 visibility is but one ingredient of Incapsula’s secret sauce- helping us make your websites and web applications more secure and reliable.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com