Layer-7 DDoS used to mean send a million HTTP requests from a botnet of compromised IoT devices. The defense was straightforward — rate-limit by IP, blackhole the obvious offenders, move on. That's no longer enough.
What's changed
The bot networks we're seeing in 2026 are running on residential proxy networks rented from broker services that, on paper, sell themselves as ad-verification tools. Each request comes from a different residential IP. Each one passes a JavaScript challenge. Each one looks like a real user — until you look at the timing.
- Inter-request intervals are too uniform. Real users vary; bots clock-tick.
- Browser fingerprints repeat across IPs. We see the same TLS hash from 40,000 different residential addresses.
- Mouse and scroll telemetry, when we have it, is missing entirely or replayed from a single recorded session.
What we did
We stopped looking at IPs in isolation. Our WAF now scores requests on a multi-dimensional fingerprint that combines TLS hash, header order, JA4, and behavioral telemetry. A request from a clean IP that scores high on the bot dimensions gets the challenge. A request from an obvious bot IP that has clean human telemetry gets through.
False-positive rate dropped. Block rate on actual L7 attacks went up. The old IP-based rules are still there as a baseline — they catch the unsophisticated attackers who haven't upgraded. The new ones catch everyone else.
What we're watching
The next wave appears to be fully-automated browsers driven by LLM agents that can solve our JavaScript challenges. We've seen a handful in the wild. Defending against that means moving the trust signal to something the agent can't easily fake — and that's a different post.