Understanding Layer 3, 4, and 7 DDoS Protection

The OSI model categorizes areas of the network into layers. Layers 3, 4, and 7 are among the most important, and the most susceptible to DDoS attacks. Layer 3 is labeled as the network layer, layer 4 is the transport layer, and layer 7 is the application layer. Each of these components play a vital role in the performance and availability of key network functions and applications. Different layers are vulnerable to different types of DDoS attacks due to the nature of the infrastructure and software they house.

Layer 3 DDoS Attacks

Layer 3 DDoS attacks go after network infrastructure with the goal of overloading it with traffic. This flood of illegitimate traffic is intended to consume all the available bandwidth on the network, making it unable to allow any additional traffic through, including legitimate users. This can lead to actual users not being able to access some or all of the network, causing frustration and productivity loss.

This type of attack is also known as a volumetric DDoS attack, a common tactic used by adversaries to bring down networks and applications. There are several specific types of volumetric attacks, including ICMP floods, IPsec, IP exploits, and more. 

Layer 4 DDoS Attacks

Layer 4 DDoS attacks attempt to attack the transport layer, where data is transferred between applications and other network areas. In targeting this layer, adversaries aim to disrupt communications between applications which renders them unable to perform core functions. There are two protocols that are active at the transport layer:

• Transmission Control Protocol (TCP), which provides a reliable, connection-oriented, and ordered data stream

• User Datagram Protocol (UDP), which provides a faster, connectionless, and unordered data stream

Attack vectors commonly used against the transport layer include:

• SYN Floods: Target the TCP handshake by sending synchronized (SYN) packets to begin the three-way TCP handshake. After the server sends back a synchronize-acknowledgment (SYN-ACK) packet, the attacker does not send back a final ACK packet. Instead, they send over a wave of SYN requests, leaving a large number of half-open connections. This leads to exhausted server resources, preventing legitimate requests from being established.

• ACK Floods: Overwhelm the server's acknowledgment capabilities by sending a wave of TCP ACK packets. This leads to the inability to manage resources, leading to server overload and, ultimately, downtime.

• UDP Floods: Wastes bandwidth and processing power by sending UDP packets to random ports on the server. Since these leverage a connectionless protocol, an "destination unreachable" message must be returned, wasting resources and causing downtime and poor performance.

Layer 7 DDoS Attacks

Where layer 3 and 4 attacks use a flooding approach, much like a hatchet, layer 7 DDoS attacks take a more surgical approach. These attacks target the user-facing applications, aiming to disrupt their ability to receive information to make them function properly. They do so by leveraging application layer attacks, including:

• HTTP Floods: Use false HTTP GET or POST requests to flood a web server or application. While these requests appear legitimate, they often utilize botnets to cause the target server or application to utilize the majority of available resources to the bogus requests, leaving legitimate users unable to establish a connection. The main issue in combatting these attacks is that the flood traffic is almost impossible to differentiate from legitimate user traffic.

• DNS/NXDOMAIN Floods: Attackers overwhelm the target domain name system (DNS) server with a large volume of requests for non-existent or invalid records, leading to an NXDOMAIN error. This occurs from both proxy and authoritative DNS servers leveraging most of their resources handling the bad requests, eventually not being able to handle any requests at all. This attack is also known as a DNS water torture attack.

• Slowloris Attacks: By sending partial HTTP requests to open connections between a single device and a target web server and leaving that connection open as long as possible, a slowloris attack aims to overwhelm and slow down the target with highly targeted attacks that exhaust resources for an extended period. This attack can target many types of web server software with minimal bandwidth requirements.

Application layer attacks are more precise than they are large, making them more difficult to detect. They target specific application or service functions and features to maximize impact.

Mitigation Strategies

Mitigation varies based on the type of attack that is being deployed against a network or application. Some attacks, like volumetric attacks, are best mitigated by cloud-based DDoS protection solutions that can detect and reroute large volumes of malicious traffic. Meanwhile, application layer attacks may be better combatted with on-premises, inline DDoS protection solutions.

Best Practices for Comprehensive DDoS Defense

Ideal solution sets for DDoS defense are multifaceted. They leverage an adaptive defensive toolset that boasts cloud-based and on-premises solutions to detect, mitigate, and recover from all types of DDoS attacks. Relying on ISP-provided solutions is not enough, as most attacks are too small to be detected by their provided solutions.

Additionally, relying on stateful devices, like next-generation firewalls (NGFWs) or web application firewalls (WAFs) is not sufficient. Due to their stateful design, these devices are easily overwhelmed by DDoS attack traffic, rendering them unable to perform their core duties.

NETSCOUT offers complete DDoS protection solutions to mitigate all types of DDoS attacks. The Arbor DDoS set of products can be equipped withleveragereal-time threat intelligence to automatically detect and block the latest DDoS threats.