The difference comes down to which part of the stack the attack abuses, and that dictates how you detect and stop it. Layer 3/4 attacks are about raw volume; Layer 7 attacks are about expensive, realistic-looking requests.
The difference comes down to which part of the stack the attack abuses, and that dictates how you detect and stop it. Layer 3/4 attacks are about raw volume; Layer 7 attacks are about expensive, realistic-looking requests.
These target the network and transport layers and try to saturate bandwidth or exhaust connection state, not your application logic.
Mitigation is about absorbing or filtering packets: SYN cookies (so the server holds no state until the handshake completes), anycast + scrubbing centers to spread and clean the flood across global capacity, and upstream/ISP filtering to drop spoofed or junk packets before they reach you. The packets themselves are obviously malformed or unsolicited, so filtering is mechanical.
These target the application layer (HTTP) with requests that look completely legitimate.
GET /search?q=..., POST /login) so each request forces a database query, render, or auth check.The danger is asymmetry: a tiny request can cost you a heavy query, so far less bandwidth takes you down. And because each request is well-formed, packet filtering cannot tell it from a real user.
Mitigation must be smarter than filtering: a WAF to match malicious patterns, rate limiting per IP/user/token, and behavioral analysis (challenge pages, JS/CAPTCHA, fingerprinting) to separate bots from humans.
Layer 3/4 : detect by VOLUME + protocol anomalies -> filter/absorb packets (cheap to spot)
Layer 7 : detect by BEHAVIOR (looks like real traffic) -> needs request-level intelligence
You cannot defend both with one tool. A scrubbing center that crushes a 1 Tbps UDP flood will wave through a 50,000-request-per-second HTTP flood, because each request looks valid. Senior engineers identify the layer first, then reach for the matching control — packet-level scrubbing and anycast for volumetric attacks, request-level WAF, rate limiting, and behavioral challenges for application floods.