An application-layer attack is a category of DDoS attack vector operating at Layer 7, the class a thorough DDoS test is built to exercise. Instead of saturating bandwidth or connection state, it sends requests that are individually valid but collectively expensive: HTTP floods, slow attacks like Slowloris and RUDY, and targeted hits on search, login, or checkout endpoints. Because each request completes a legitimate handshake and looks like normal traffic, these attacks bypass volumetric filters and exhaust CPU, worker threads, and backend databases at low bandwidth.
Why it matters in DDoS testing
Application-layer attacks are the hardest to distinguish from real traffic, so the detection surface is request semantics rather than packet volume. A test characterizes the request rate at which the application tier degrades, whether rate limiting and bot management catch the flood without blocking real users, and how the autoscaler behaves under sustained pressure. Validating that the L7 controls hold without false positives is central to DDoS resilience testing.