[alexvay]

I'd assume the HEADERs would be the same, e.g. basic stuff like UAS could be the same, or more low-level like Accept-* headers.

Note that this doesn't seem like a DDoS focused on high-bandwidth but rather focused on causing application load by triggering some server action and abusing the CPU/RAM, etc. In this case, Level7 analysis, is very effective and usually simple.

[Igalze]

Very true. As far as headers concerned, we actually dig very deep. For instance, we will look at little encoding-related nuances, which can help identify spoofed headers (ua and IPs are fakeable, after all) :) Also, we look for abnormalities in header order while being aware of variants that can derive from using various devices, proxies, etc. Hence the 10M signature pool, which grows as new variants are spotted across our network.