Layer-by-Layer DDoS Attack Mechanics and Effective Defense Strategies

Introduction

DDoS (Distributed Denial‑of‑Service) attacks target multiple layers of the IP protocol stack. Effective mitigation requires understanding the tactics used at the network (Layer 3), transport (Layer 4), and application (Layer 7) layers.

Network Layer (Layer 3) Attacks

Layer 3 attacks exploit IP and ICMP to flood routers, switches, or links with malformed or excessive packets, exhausting device CPU, memory, and bandwidth.

ICMP Flood (Ping Flood) – Botnets send millions of ICMP Echo Request packets. Each request forces the target to generate an Echo Reply, consuming CPU cycles and bandwidth. Example command used by legitimate tools: ping.

IP Fragmentation Attack (Ping of Death) – Attackers craft IP packets larger than the maximum 65 535 bytes. The packets are fragmented; when reassembled, the total size exceeds buffer limits, causing memory overflow, crashes, or reboots.

Defensive measures

Border firewall / router ACL – Configure access‑control lists to drop unsolicited ICMP traffic or apply per‑source rate limits.

Traffic‑scrubbing services – Redirect traffic via BGP to a scrubbing center that filters malicious packets before returning clean traffic to the origin.

Transport Layer (Layer 4) Attacks

Layer 4 attacks focus on exhausting server connection state rather than raw bandwidth.

TCP SYN Flood – Attackers send forged SYN packets with spoofed source IPs. The server replies with SYN‑ACK and allocates a half‑open entry in the backlog queue, waiting for an ACK that never arrives. Accumulation of half‑open connections exhausts the TCP backlog.

UDP Flood – Random UDP packets are sent to closed ports. The server must generate ICMP “port unreachable” replies, consuming CPU and network resources at high volume.

Defensive measures

SYN Cookies – The server encodes connection parameters into a cryptographic cookie placed in the SYN‑ACK. Resources are allocated only after a valid ACK containing the cookie is received.

Stateful firewalls and IPS – Track TCP state, detect abnormal half‑open connections or UDP patterns, and block them.

UDP rate limiting – Apply strict rate limits to non‑essential UDP ports.

Application Layer (Layer 7) Attacks

Layer 7 attacks mimic legitimate user behavior, sending HTTP or DNS requests that appear valid but are generated at a scale that exhausts CPU, memory, or I/O resources.

HTTP Flood – Botnets issue massive HTTP GET/POST requests to resource‑intensive endpoints (e.g., search, login). The high request rate overwhelms web or database servers.

DNS Query Flood – Flooding a DNS server with forged queries forces recursive lookups, depleting its processing capacity.

Defensive measures

Web Application Firewall (WAF) – Deep packet inspection of HTTP/HTTPS traffic, rule‑based filtering, behavior analysis, and reputation checks; can limit per‑IP request rates and validate parameters.

CAPTCHA / Human verification – Challenge responses (e.g., reCAPTCHA) are presented when traffic anomalies are detected to separate bots from real users.

API rate limiting and authentication – Enforce strict request quotas and require authentication for exposed APIs.

CDN and load balancing – Distribute traffic across edge nodes; CDNs absorb large HTTP floods, while load balancers spread load across multiple backend servers.

Conclusion

DDoS mitigation must be layered: coarse filtering at the network layer, intelligent connection‑state management at the transport layer, and deep behavioral analysis at the application layer. A depth‑oriented defense architecture enables resilient response to multi‑vector DDoS attacks.