Not all DoS (Disowning of Service) attacks are the same. While the end result is to consume as much – hopefully all – of a server or site’s resources such that legitimate users are denied service (hence the name) there is a subtle difference in how these attacks are perpetrated that makes one simpler to stop than the other.

SYN Flood
A Layer 4 DoS attack is often referred to as a SYN flood. It works at the transport protocol (TCP) layer. A TCP connection is established in what is known as a 3-way handshake. The client sends a SYN packet, the server responds with a SYN ACK, and the client responds to that with an ACK. After the “three-way handshake” is complete, the TCP connection is considered established. It is as this top that applications start carriage data by a Layer 7 or attention layer protocol, such as HTTP.
A SYN flood uses the inherent patience of the TCP stack to overwhelm a server by carriage a flood of SYN packets and then ignoring the SYN ACKs returned by the server. This causes the server to use up resources waiting a configured amount of time for the anticipated ACK that should come from a legitimate client. Because web and attention servers are limited in the number of concurrent TCP relations they can have open, if an attacker sends enough SYN packets to a server it can easily chew through the allowed number of TCP relations, thus preventing legitimate requests from being answered by the server.
SYN floods are honestly simple for proxy-based attention delivery and security harvest to detect. Because they proxy relations for the servers, and are generally hardware-based with a much higher TCP connection limit, the proxy-based solution can handle the high volume of relations without becoming overwhelmed. Because the proxy-based solution is usually terminating the TCP connection (i.e. it is the “endpoint” of the connection) it will not pass the connection to the server in anticipation of it has completed the 3-way handshake. Thus, a SYN flood is stopped at the proxy and legitimate relations are passed on to the server with speed.
The attackers are generally stopped from flooding the network through the use of SYN cookies.  SYN cookies utilize cryptographic hashing and are therefore computationally expensive, making it desirable to allow a proxy/delivery solution with hardware accelerated cryptographic capabilities handle this type of security measure. Servers can implement SYN cookies, but the additional burden placed on the server alleviates much of the gains achieved by preventing SYN floods and often consequences in available, but unacceptably slow performing servers and sites.

HTTP GET DoS
A Layer 7 DoS attack is a different beast and it’s more hard to detect. A Layer 7 DoS attack is often perpetrated through the use of HTTP GET. This means that the 3-way TCP handshake has been completed, thus fooling devices and solutions which are only tentative layer 4 and TCP communications. The attacker looks like a legitimate connection, and is therefore passed on to the web or attention server.
At that top the attacker starts requesting large numbers of files/objects by HTTP GET. They are generally legitimate requests, there are just a lot of them. So many, in fact, that the server quickly becomes focused on responding to those requests and has a hard time responding to new, legitimate requests.
When rate-limiting was used to stop this type of attack, the terrible guys went to by a distributed system of bots (zombies) to ensure that the requests (attack) was coming from myriad IP addresses and was therefore not only more hard to detect, but more hard to stop. The attacker uses malware and trojans to deposit a bot on servers and clients, and then remotely includes them in his attack by instructing the bots to request a list of objects from a point site or server. The attacker force not use bots, but instead force gather enough evil friends to launch an attack against a site that has annoyed them for some reason.
Layer 7 DoS attacks are more hard to detect because the TCP connection is valid and so are the requests. The trick is to realize when there are multiple clients requesting large numbers of objects at the same time and to recognize that it is, in fact, an attack. This is tough because there may very well be legitimate requests mixed in with the attack, which means a “deny all” philosophy will result in the very circumstances the attackers are trying to force: a disowning of service.
Defending against Layer 7 DoS attacks usually involves some sort of rate-shaping algorithm that watches clients and ensures that they request no more than a configurable number of objects per time period, usually measured in seconds or minutes. If the client requests more than the configurable number, the client’s IP address is blacklisted for a specified time period and later requests are denied in anticipation of the address has been freed from the blacklist.
Because this can still affect legitimate users, layer 7 firewall (attention firewall) vendors are working on ways to get smarter about stopping layer 7 DoS attacks without affecting legitimate clients. It is a subtle dance and requires a bit more understanding of the attention and its flow, but if implemented correctly it can improve the ability of such devices to detect and prevent layer 7 DoS attacks from reaching web and attention servers and taking a site down.
The goal of deploying an attention firewall or proxy-based attention delivery solution is to ensure the quick and secure delivery of an attention. By preventing both layer 4 and layer 7 DoS attacks, such solutions allow servers to continue serving up applications without a degradation in performance caused by dealing with layer 4 or layer 7 attacks.

REFERENCES
http://devcentral.f5.com/weblogs/macvittie/archive/2008/07/08/3429.aspx

Check it out:Command Center SkyHi