You can't block a DDoS attack with a Firewall. If the link is saturated (100Gbps incoming), your firewall will melt. You need a Scrubbing Center (Cloudflare/Akamai/AWS) to absorb the traffic before it reaches you.
Layer 7 vs Layer 4
Layer 4 (Transport): SYN Flood, UDP Flood. Aim is to exhaust bandwidth or connection tables.
Layer 7 (Application): HTTP Flood. "GET /search?q=random". Aim is to exhaust CPU/RAM on the web server.
L7 attacks are harder to detect because they look like legitimate traffic.
1. Rate Limiting
The first line of defense.
"No IP can make more than 10 requests per second."
Simple, but effective against basic bots.
2. Anycast
Distribute your IP address across 100 data centers globally.
Attack traffic is routed to the nearest data center, diluting the attack.
Instead of 100Gbps hitting one server, 1Gbps hits 100 servers.