But any DDoS mitigation appliance should be similar.
Layer 7 is difficult because it's expensive to do on a scrubbing device, but also because a sufficiently sophisticated DDoS can look like normal traffic.
Cloudflare can stop HTTP layer 7 stuff, but things like DNS protocol? You can't easily tell what's malicious and what's not (However, I've seen some dumb DDoS's where it's things like querying for XYZXYZXYZ...(lots of characters).org, or DNS reflection attacks, those are easy to filter). In those cases, it's really just a matter of overprovisioning your service, or suffer until the attackers run out of money or get bored.
"run out of money or get bored" - made my day, this should also apply to the site owner. I bet there are even companies who are not aware that they are under attack since years (as loss is trivial yet)
But any DDoS mitigation appliance should be similar.
Layer 7 is difficult because it's expensive to do on a scrubbing device, but also because a sufficiently sophisticated DDoS can look like normal traffic.
Cloudflare can stop HTTP layer 7 stuff, but things like DNS protocol? You can't easily tell what's malicious and what's not (However, I've seen some dumb DDoS's where it's things like querying for XYZXYZXYZ...(lots of characters).org, or DNS reflection attacks, those are easy to filter). In those cases, it's really just a matter of overprovisioning your service, or suffer until the attackers run out of money or get bored.