← All articles
Security 7 min

DDoS attacks: understanding L3, L4 and L7 threats — and how to stop them

A distributed denial-of-service (DDoS) attack aims to make a service unavailable by overwhelming it with traffic from a large number of sources. Behind that generic term lie very different attacks, which are not fought the same way. Classifying them by network layer helps you understand — and defend against — them.

Volumetric attacks (layers 3 and 4)

These get the headlines: the attacker saturates your link by sending massive bandwidth (today commonly several hundred Gbps, sometimes Tbps). The classic techniques are amplification (DNS, NTP, memcached: the attacker sends a small request that triggers a huge response toward your spoofed address) and UDP/ICMP floods.

Against them, the only realistic defence is upstream, inside the operator's network: capacity must be large enough to absorb the attack, and malicious traffic must be filtered before it reaches your link. A firewall installed on your side is drowned long before it can react.

Protocol attacks (layer 4)

Rather than saturating bandwidth, they exhaust the resources of a device (server, load balancer, firewall) by abusing how protocols work. The SYN flood is the archetype: the attacker opens thousands of half-established TCP connections and lets the machine's state table fill up.

The countermeasure relies on mechanisms such as SYN cookies, limiting the number of connections per source and, again, upstream filtering able to tell legitimate connections from noise.

Application-layer attacks (layer 7)

The most insidious. The traffic looks like legitimate requests — a flood of HTTP requests to an expensive page, for instance — but in volumes large enough to exhaust your application or database. Raw bandwidth can be low: it is the number of requests and their cost that hurt.

They require fine-grained analysis: behavioural profiling, challenges such as JavaScript or captcha, per-client rate limiting, and application rules (WAF). Simply measuring bandwidth does not detect them.

Best practices

  • Protect upstream, in the network: mitigation must happen before your access link, not after.
  • Have capacity and scrubbing: an over-provisioned network that "cleans" traffic absorbs spikes without cutting the service.
  • Monitor continuously: detecting early means reacting before an outage — hence the value of a 24/7 NOC.
  • Prepare a plan: knowing who to contact and which actions to trigger saves decisive time on the day.

This is the approach of our DDoS protection: L3/L4/L7 mitigation integrated into our network, with no extra equipment on your side, monitored around the clock. It is natively included in our IP transit.

A network project to bring to life?

Let's talk about your needs — a tailored quote within 24 h, no commitment.

Contact us