Menene bambanci tsakanin Layer 7 da Layer 3/4 DDoS attacks, kuma me yasa mitigations ya bambanta?

Question

Accepted Answer

Bambanci na zo daga **wane sashi na stack nake amfani* da wanda a raje, kuma hakan nai mika yadda kake gano da tsayar da shi. Layer 3/4 attacks suke game da **kashing adadi**; Layer 7 attacks suke game da **costly, requests da suke kama gida-gida**.

## Layer 3/4 — volumetric / network attacks

Wadannan suke tuhumar **network da transport layers** da suke kokarin cika bandwidth ko kashe connection state, ba shine logics na aikace-aikacen naka ba.

- **SYN flood** — bude TCP handshakes amma ba su kammala ba, cikewa table yadda clients mai aminci ba za su iya haɗa ba.
- **UDP flood** — jefar UDP packets zuwa ramni masu bata, tilar host yadda a sarrafi kuma amsa.
- **Amplification / reflection** (DNS, NTP, memcached) — guje IP na wanda a tuhumar saboda karami queries suke ƙayar da masu girma amsa zuwa wanda a tuhumar, ninkowa mamaki bandwidth 50-500x.

**Mitigation** suke game da samarwa ko tace packets: **SYN cookies** (saboda server ya tsaya babu state har handshake ya kammala), **anycast + scrubbing centers** wajen yada da tsabtsi flood a cikin duniya capacity, da **upstream/ISP filtering** wajen ci jajiya spoofed ko banza packets kafin su isa gida. Packets kansu suke bayyane malformed ko ba su nemi ba, saboda tace ishi mechanical.

## Layer 7 — application attacks

Wadannan suke tuhumar **application layer (HTTP)** tare da requests da suke kama legitime gida.

- **HTTP flood** — cika legitime endpoints (`GET /search?q=...`, `POST /login`) saboda kowane request yana tilar database query, render, ko auth check.

Haɗari shine **asymmetry**: karami request zai iya kashe fiye da query, saboda haka kashi ba ya kashe ki. Kuma saboda kowane request shine daidai tsari, packet filtering ba zai iya gano shi daga ainihi mai aminci ba.

**Mitigation** dole ya zama mafi wayo fiye da tace: **WAF** wajen daidaita patterns marasa kyau, **rate limiting** kowaye IP/user/token, da **behavioral analysis** (challenge pages, JS/CAPTCHA, fingerprinting) wajen rabuwa robots daga mutane.

## Why detection differs

```text
Layer 3/4 : detect by VOLUME + protocol anomalies -> filter/absorb packets (cheap to spot)
Layer 7   : detect by BEHAVIOR (looks like real traffic) -> needs request-level intelligence
```

## Me yasa yana da muhimmi

Ba za ka iya karewa dukansu da kayan gida daya. Scrubbing center nake jajiye 1 Tbps UDP flood zai hanin 50,000-request-per-second HTTP flood, saboda kowane request suke kama ainihi. Masu karami engineers sune suna gano layer na farko, sannan sune isa wajen matching control — packet-level scrubbing da anycast don volumetric attacks, request-level WAF, rate limiting, da behavioral challenges don application floods.