What Are L3 and L4 DDoS Attacks?

Understanding L3 and L4 DDoS Attacks

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a server, network, web application, etc., by overwhelming the target or its surrounding infrastructure with malicious traffic using a number of simultaneous, coordinated DoS attacks.

In particular, L3 DDoS attacks and L4 DDoS attacks target the processes and appliances that operate on the lower layers of the OSI model: the network layer (layer 3) and the transport layer (layer 4). These attacks focus on exhausting the resources of the network infrastructure, rendering the target unavailable to legitimate users.

Roughly speaking, layer 3 DDoS attacks primarily affect core network devices like switches and routers, while layer 4 DDoS attacks mostly target more advanced hardware like firewalls and servers.

Which Protocols Are Included in OSI Model Layer 3 and Layer 4

Let's take a quick look at the specific protocols that are most commonly targeted in L3/L4 DDoS attacks.

  • IP (Internet Protocol): As the name suggests, this protocol is a backbone of the Internet. It is responsible for routing packets of data from the source to the destination across multiple networks based on the IP addresses in the packet headers.
  • ICMP (Internet Control Message Protocol): A supporting protocol that is used for diagnostic and control purposes, such as error reporting and network troubleshooting. For instance, tools like ping and traceroute use ICMP.
  • TCP (Transmission Control Protocol): One of the main protocols of the Internet protocol suite. It is designed to send packets across the Internet and ensure the successful delivery of data over IP networks.
  • UDP (User Datagram Protocol): An alternative to TCP that prioritizes speed over reliability. This protocol is often used in applications where connection latency is critical and occasional data loss is acceptable, such as video streaming, DNS lookups, online gaming, and more.

How L3/L4 DDoS Attacks Work

Most often layer 3 DDoS attacks rely on extremely high volumes of IP-traffic to consume bandwidth and overwhelm stateless network equipment (switches, routers), eventually degrading access for legitimate users. This can be achieved in many ways: from the use of large botnets of compromised devices to amplification/reflection attacks, where legitimate infrastructure is used to multiply malicious requests. The attacker does not need to choose just one method; in practice, a combination of these techniques is often used.

Layer 4 DDoS attacks, on the other hand, flood the network with malicious traffic, often spoofed, targeting transmission protocols and trying to exhaust resources of stateful equipment (firewalls, servers). The end goal here is also to cause congestion, resulting in delays and disruptions in normal network operations.

Some attacks simultaneously exhaust the resources of both equipment operating at the network layer and devices working at the transport layer, and therefore can be classified as combined L3/L4 DDoS attacks.

In any case, overwhelmed by the attack, network infrastructure drops or delays legitimate data packets. This causes deteriorated network performance, and ultimately leads to poor user experience, service interruptions, or even complete unavailability.

Types of L3/L4 DDoS Attacks

Now let's examine several of the most commonly used types of L3/L4 DDoS attacks. It's worth noting that these basic attacks are often not used in isolation but complement each other. Therefore, in practice, a combination of these attacks is usually deployed.

  • IP Fragmented Flood Attack: This attack abuses the IP fragmentation mechanism in which packets are broken into smaller pieces by the sender to accommodate network transmission limits and then are reassembled by the recipient. An attacker sends large amounts of fragmented packets, hoping to exhaust the target's ability to process and reassemble them.
  • DNS Amplification Attack: Although DNS itself is included in the application layer (L7) of the OSI model, DNS amplification is actually an L3 DDoS attack. Attackers exploit DNS servers to send a large number of queries to the target system. These queries return a large amount of data, overwhelming the network layer equipment.
  • ICMP Flood Attack: Also known as a ping flood, this type of DDoS attack uses large volumes of bogus ICMP echo requests (pings), to which the target has to respond with echo replies, in an attempt to overwhelm both the incoming and outgoing channels of the network.
  • TCP Flood Attack: An attack that aims to flood the target with TCP connection requests, overwhelming the target's ability to handle legitimate connections. The attacker's goal is to exhaust the target system's resources, resulting in service disruptions.
  • SYN Flood Attack: Attack that exploits the TCP handshake process: an attacker rapidly initiates a succession of connection attempts to a server by sending the SYN (synchronise) requests from spoofed sources. These connections are never finalized with ACK (acknowledge) requests, leaving the target with half-open connections, consuming its resources and eventually leading to service unavailability. Related attack types include SYN-ACK flood and ACK flood.
  • UDP Flood Attack: An attacker sends a massive number of UDP packets to random ports on the target server. Upon receiving these packets, the target system must check for applications listening at each port. After realizing that there are none, it then has to respond with an ICMP Destination Unreachable packet. This process consumes the target's resources and leads to network congestion.

Impact on Business

Successful DDoS attacks often have a significant impact on businesses, affecting various aspects of operations and harming their reputation.

Financial impact: DDoS attacks result in direct financial losses, including lost revenue caused by downtime and resources spent on recovery efforts. Additionally, there might be costs related to regulatory fines and compensating customers affected by the service disruptions. Since DDoS attacks are increasingly used by ransomware gangs, in some cases there is also ransom to be paid.

Operational impact: By slowing down network performance and generating service outages, DDoS attacks interfere with regular business operations. This can reduce employee productivity, which can be further exacerbated by resources being diverted to deal with the aftermath of the attack.

Reputational impact: Aside from the immediate damages, a successful DDoS attack can also have long-term consequences. Customers who are disappointed in the reliability of the company's services may lose loyalty. The company's brand may also suffer from unwanted publicity caused by a DDoS attack, leading to lost business opportunities and customer churn.

How to Protect from L3/L4 DDoS Attacks

One of the simplest ways to mitigate a layer 3 DDoS attack or layer 4 DDoS attack is blackholing. It works by redirecting traffic from a certain range of IP addresses to a null route (a blackhole), effectively removing it from the targeted network. This technique can be used to quickly eliminate large volumes of malicious traffic. However, it also drops legitimate traffic coming from the same range of IP addresses which can become a problem during large-scale and long-lasting DDoS attacks. For this reason, using this method is not recommended and should be considered as a last resort.

Another technique is rate limiting, that is, controlling the amount of traffic allowed to reach the target system and preventing overwhelming volumes of malicious traffic. However, since rate limits are set per IP address, this mitigation technique is not effective against DDoS attacks that use a large number of addresses. At the same time, rate limiting can also cause blocking legitimate traffic if the limit is set too low.

An effective way to mitigate DDoS attacks is through traffic filtering. Identifying and blocking malicious traffic while allowing legitimate traffic to pass through isn't a trivial task, though. There is also the question of scale: how large of a DDoS attack a filtering solution itself can handle.

Scrubbing centers offer robust L3 and L4 DDoS protection by diverting incoming traffic to specialized facilities where it is analyzed and filtered. Malicious traffic is removed, and clean traffic is forwarded to the target system. These centers use advanced technologies and algorithms and have enough redundancy to effectively handle large-scale attacks.

Qrator.AntiDDoS provides comprehensive protection against both L3/L4 and L7 DDoS attacks through its global network of 15 scrubbing centers, connected either to Tier 1 or leading regional providers. Offering always-on protection, Qrator.AntiDDoS uses BGP Anycast routing to distribute traffic efficiently, ensuring real-time monitoring and filtering. Our distributed cloud infrastructure effectively mitigates attacks of any scale while minimizing costs for customers.