Layer 4 vs Layer 7 DDoS Attacks
Last updated: March 2025
The OSI Model Context
The Open Systems Interconnection (OSI) model divides network communication into seven layers. DDoS attacks typically target Layer 4 (Transport) or Layer 7 (Application). Understanding the difference helps you choose the right mitigation strategy.
What is Layer 4 (L4)?
Layer 4 is the Transport layer, responsible for end-to-end communication. It includes protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). L4 attacks work at the packet level—they don't need to understand application logic, just IP addresses and ports.
Common Layer 4 Attack Types
- UDP Flood: Sends massive amounts of UDP packets to random ports. The target spends resources checking each packet and responding with "port unreachable" messages.
- TCP Flood: Exhausts the target's connection table with full TCP connections. Each connection consumes memory and CPU.
- SYN Flood: Sends TCP SYN packets without completing the handshake. Half-open connections accumulate until the server cannot accept new connections.
What is Layer 7 (L7)?
Layer 7 is the Application layer, where HTTP, HTTPS, DNS, and other application protocols operate. L7 attacks are more sophisticated—they send requests that look like legitimate user traffic. They target web servers, APIs, and application logic.
Common Layer 7 Attack Types
- HTTP Flood: Sends many HTTP GET or POST requests. Each request triggers database queries, server-side processing, and resource consumption.
- Slowloris: Sends partial HTTP requests and keeps connections open. Exhausts the server's connection pool with minimal bandwidth.
- HTTP POST Flood: Sends large POST requests that consume more server resources than GET requests.
Key Differences
| Aspect | Layer 4 | Layer 7 |
|---|---|---|
| Target | Bandwidth, connection tables | Application resources, CPU |
| Traffic volume | Very high (Gbps/Tbps) | Lower but more effective |
| Mitigation | Upstream filtering, scrubbing | WAF, rate limiting, behavioral analysis |
Which is Harder to Mitigate?
Layer 4 attacks require more raw bandwidth to mitigate—you need to absorb or filter high volumes of traffic. Layer 7 attacks are trickier because they mimic legitimate traffic; distinguishing attack requests from real users requires behavioral analysis, rate limiting, and sometimes challenge-response mechanisms.
Testing Both Layers
When stress testing your infrastructure, test against both L4 and L7 attack vectors. Your defenses may handle one type well but be vulnerable to the other. Comprehensive testing covers UDP, TCP, SYN, HTTP, and application-specific scenarios.