What does a "signature" look like specifically, or generally if you can't be specific? Would love to hear about what is actually getting sent to the L7 optimized hardware.
In the early 2000s you could get a long way with just the 5-tuple, some basic aggregation inference, and a RRD histogram. The tricky parts were having the ability to divert and process the traffic once characterized. The actual processing wasn’t that complicated; it just needed way bigger rules than could be fit in a switch TCAM.
Not the GP though I've also worked in the DDoS space. Think fancy regexps (augmented with e.g. fast string search engines, counters, etc.), running inside a protocol-specific interpreter.
At least in the product I worked on, L7 processing was done purely in software. You could probably make hardware to do that but there's not a ton of benefit as you're pretty much constrained by memory bandwidth, not CPU power, once you start looking at anything past fixed headers.
(Our product also performed deep-packet inspection – in fact that was its original function – so the L7 processing was probably a bit more general than DDoS-only products.)
It would look at the http request and break it down by uri, host, parameters, cookies, etc. A signature was some combo of those.
It also did layer 2 and 3 detection and looked for the stuff mentioned below like IP and port and if the 3 way handshake was “normal”. Stuff like that.