Bots overload your website
You’ve most certainly heard of volumetric distributed denial-of-service attacks (DDos), that try to force a targeted website to become offline. This kind of attack is by far not the only way for a denial-of-service attack.
DoS attacks on the application level are dramatically different from DDoS attacks: often relatively few requests are required to force the performance of a website to decline or to bring the website to a complete standstill. Since the attack happens on OSI level 7 it cripples your web application and backend while your firewall and load balancers keep functioning as if everything were fine.
A shop website may be able to handle triple the average traffic but when that amount of traffic only hits the basket page it may force the application to go down since it needs to speak to all components of a shop including the availability API, the payment partner, tools for credit card fraud detection or tools that queries cross-selling opportunities. It doesn’t take a lot of traffic to knock your website down this way.
How can you detect whether you’re affected?
A sudden increase in calls or emails from customers who complain that the website is slow or down.
Parts or all of your website become unresponsive unexpectedly
Your server load skyrockets all of a sudden
Suspicious request peaks for certain pages that cause many individual parts of your system to talk together.