The most effective way to stop layer 7 and application layer DDoS attacks is to limit TCP connection rate. Some layer 7 attacking tools can generate thousands of concurrent TCP connections, consuming server resources with just a single computer. However, for legitimate website requests, only a few concurrent TCP connections are required. If the TCP/IP stack of a vulnerable Internet server can be integrated with some kind of connection restriction, layer 7 and application layer DDoS attacks can be blocked.
The image above shows how Anti DDoS Guardian protects against layer 7 and application layer DDoS attacks. Note option 2.5, TCP concurrent connections limit.
Even without "UDP connections" in TCP/IP, some layer 7 attack tools work in a way that exhausts UDP server resources. To stop UDP consumption, Anti DDoS Guardian monitors UDP traffic to determine if bad-behaving IP addresses are dropped.