A company’s web server crashes under a DDoS attack. The engineering team investigates: bandwidth utilization is at 5%. CPU is at 100%. The firewall shows no anomalies. Every incoming request is a perfectly valid HTTP GET.
This is a Layer 7 attack — and nine out of ten network engineers’ first instinct would be to look for a volumetric flood that doesn’t exist.
Understanding which layer an attack targets is the difference between deploying the right defense in sixty seconds and spending hours troubleshooting the wrong problem.
The OSI Model in 60 Seconds
The Open Systems Interconnection (OSI) model divides network communication into seven layers. For DDoS, three layers matter:
Layer 3 (Network) handles IP addressing and routing. Every packet has a source IP, destination IP, and protocol identifier. This is where IP-level floods operate.
Layer 4 (Transport) handles TCP and UDP — connection management, port numbers, and flow control. This is where SYN floods, UDP floods, and connection exhaustion attacks operate.
Layer 7 (Application) handles HTTP, DNS, SMTP, and other application protocols. This is where the actual content of communication lives — URLs, headers, cookies, API payloads.
When people say “Layer 3/4 attack,” they mean attacks targeting the network infrastructure itself. When they say “Layer 7 attack,” they mean attacks targeting the application running on that infrastructure.
Layer 3/4 Attacks: The Volume Play
Layer 3/4 attacks are designed to overwhelm bandwidth, exhaust routing capacity, or flood connection tables. They don’t try to look legitimate — they try to be massive.
Common Layer 3/4 Attack Types
| Attack | Layer | Protocol | Mechanism |
|---|---|---|---|
| UDP Flood | 3/4 | UDP | Massive volumes of random UDP packets |
| SYN Flood | 4 | TCP | Half-open connections exhaust backlog |
| DNS Amplification | 3/4 | UDP | Small queries → large spoofed responses |
| NTP Amplification | 3/4 | UDP | monlist command → 556x amplification |
| ICMP Flood | 3 | ICMP | Ping floods saturate bandwidth |
| ACK Flood | 4 | TCP | Unsolicited ACK packets waste processing |
| GRE Flood | 3 | GRE | Encapsulated packets bypass some filters |
| Fragment Flood | 3 | IP | Fragmented packets exhaust reassembly buffers |
Characteristics of Layer 3/4 Attacks
High volume. These attacks are measured in gigabits per second (Gbps) and packets per second (PPS). A typical volumetric attack ranges from 10 Gbps to 500+ Gbps. The largest recorded attacks have exceeded 3 Tbps.
Simple packets. Attack traffic consists of basic network packets — often random payloads, spoofed source IPs, and no application-layer content. A 100-byte UDP packet repeated 10 million times per second is the purest form of Layer 3/4 attack.
Easy to detect. Bandwidth graphs spike dramatically. Packet rates jump from normal to millions per second. Protocol distributions shift (suddenly 99% of traffic is UDP when it’s normally 80% TCP). Detection systems identify these attacks quickly because the statistical anomaly is unmistakable.
Hard to sustain affordably. Generating 100+ Gbps requires significant botnet resources. Attackers either use amplification (turning 1 Gbps into 50 Gbps) or rent large botnets — both of which cost money.
Layer 7 Attacks: The Stealth Play
Layer 7 attacks are designed to exhaust the application’s ability to process requests. Each attack request looks identical to a legitimate user request — the attack volume may be tiny compared to Layer 3/4, but the damage per request is massive.
Common Layer 7 Attack Types
| Attack | Protocol | Mechanism |
|---|---|---|
| HTTP GET Flood | HTTP | Thousands of requests for resource-heavy pages |
| HTTP POST Flood | HTTP | Large form submissions consuming server processing |
| Slowloris | HTTP | Partial requests held open, exhausting connection slots |
| Slow POST | HTTP | Sending POST data one byte at a time |
| API Abuse | HTTP/REST | Triggering expensive database queries via API |
| DNS Query Flood | DNS | Legitimate-looking queries for random subdomains |
| WordPress Xmlrpc | HTTP | Pingback requests amplified through WordPress sites |
Characteristics of Layer 7 Attacks
Low volume. A devastating Layer 7 attack might generate only 50,000 requests per second — a fraction of the PPS in a volumetric attack. Bandwidth usage may barely register. Your monitoring dashboard shows normal traffic levels while your application is completely unresponsive.
Expensive per request. Each Layer 7 request forces the server to do real work: parse HTTP headers, execute application logic, query databases, render templates, serialize responses. A single HTTP request to a search endpoint might trigger a 500ms database operation. At 10,000 requests per second, that’s 10,000 concurrent database queries.
Protocol-compliant. Layer 7 attack traffic passes every network-level check. It uses valid TCP connections with complete handshakes. HTTP headers are well-formed. URLs are real. User-Agent strings are realistic. The traffic is indistinguishable from legitimate requests at the packet level.
Hard to detect. Because each individual request is legitimate, detection requires understanding application-level patterns: request rates per session, URL distribution, geographic consistency, and behavioral fingerprinting. Traditional network monitoring tools see nothing unusual.
Cheap to launch. Because the attack relies on the target’s own resource consumption (not bandwidth), a small number of attack sources can be devastating. A single server sending 10,000 HTTP requests per second can overwhelm a web application that costs $10,000/month to host.
The Comparison Table
| Aspect | Layer 3/4 | Layer 7 |
|---|---|---|
| Goal | Saturate bandwidth/connections | Exhaust application resources |
| Volume | 10-500+ Gbps | 0.1-5 Gbps |
| PPS | Millions | Thousands to tens of thousands |
| Packet content | Random/minimal | Valid application requests |
| Source IPs | Often spoofed | Real IPs (botnets, proxies) |
| TCP handshake | Usually no (except SYN) | Complete |
| Detection difficulty | Easy (statistical) | Hard (behavioral) |
| Mitigation approach | Packet filtering, rate limiting | Request analysis, challenge-response |
| Attacker cost | High (bandwidth expensive) | Low (application does the work) |
| Typical duration | Minutes to hours | Hours to days |
| Collateral damage | Entire network segment | Specific application/service |
Why You Need Different Defenses
A packet filter that drops 10 million PPS of UDP flood traffic won’t help with 50,000 legitimate-looking HTTP requests per second. A WAF analyzing HTTP headers won’t help when your upstream link is saturated with 200 Gbps of amplification traffic before packets even reach your server.
Layer 3/4 Requires: Packet-Level Filtering at Scale
- Stateless packet inspection at wire speed
- Per-source rate limiting on UDP and ICMP
- TCP flag validation (SYN, ACK, FIN, RST)
- Protocol filtering (block unused protocols)
- GeoIP-based traffic reduction
- Amplification signature detection
- Sufficient upstream bandwidth to absorb the flood
Layer 7 Requires: Application-Aware Analysis
- HTTP request rate limiting per source
- URL pattern analysis (are 10,000 clients requesting the same expensive endpoint?)
- Challenge-response mechanisms (JavaScript challenges, CAPTCHAs)
- Session validation (does this “user” have a valid session?)
- Bot detection (behavioral fingerprinting)
- API-specific rate limiting and authentication
How CoreTech Handles Both Layers
Layer 3/4: CoreEdge™
CoreEdge™ is purpose-built for Layer 3/4 mitigation. Operating at the XDP layer — the lowest software interception point in the Linux networking stack — it processes every packet at wire speed before the kernel even sees it.
6 firewall actions provide granular control over how traffic is handled:
| Action | Name | Use Case |
|---|---|---|
| 0 | DROP | Block all matching traffic |
| 1 | ACCEPT | Whitelist known-good sources |
| 2 | RATE_LIMIT_RULE | Global PPS threshold per rule |
| 3 | RATE_LIMIT_SRC | Per-source PPS threshold |
| 4 | MATCH_CONNECTION | Stateful TCP validation |
| 5 | CUSTOM_DEFAULT | Full protocol-specific tuning (30+ parameters) |
For a typical Layer 3/4 attack, mitigation involves:
- CoreDetection™ identifies the anomaly within seconds
- Automated rules deploy to CoreEdge™
- UDP floods are rate-limited per source
- SYN floods are validated with MATCH_CONNECTION
- Amplification traffic is identified by source-response correlation
- GeoIP rules reduce attack surface
Your servers never see the attack traffic. Zero added latency for clean traffic.
Layer 7: Upstream Integration
Layer 7 attacks require application-layer inspection that operates above the packet level. CoreTech’s architecture handles this through:
- TCP connection validation — MATCH_CONNECTION ensures only fully handshaked connections reach your server, eliminating SYN-based resource waste
- Per-source connection rate limiting — limits how many new connections a single source can initiate, throttling HTTP flood bots
- Custom TCP parameters —
tcp_syn_rate,tcp_non_syn_rate, andtcp_session_limitcontrol connection behavior at the transport layer, providing a first line of defense against application floods
For deep Layer 7 analysis (URL inspection, bot detection, JavaScript challenges), CoreTech integrates with your existing WAF or reverse proxy layer. CoreEdge™ handles the volume; your application security layer handles the sophistication.
Modern Attacks Use Both Layers
The most sophisticated DDoS campaigns combine Layer 3/4 and Layer 7 techniques simultaneously. While a 200 Gbps UDP flood saturates your bandwidth and distracts your network team, a concurrent Layer 7 HTTP flood targets your login endpoint with credential-stuffing payloads.
This multi-vector approach is why single-layer defenses fail. You need packet-level filtering AND application-level analysis. You need bandwidth capacity AND intelligent request inspection. You need automation at both layers because human response time can’t match multi-vector attack speed.
CoreDetection™ classifies attacks by layer and vector simultaneously, deploying the appropriate CoreEdge™ rules for each component of a multi-vector campaign. The behavioral engine doesn’t just detect “an attack” — it identifies each vector independently and applies targeted mitigation for each.
10-day free trial — full Layer 3/4 mitigation with CoreEdge™, CoreDetection™ behavioral analysis, and self-service firewall management.
Want to see this in action?
Get a live demonstration of CoreTech's DDoS mitigation platform.
