What is the difference between Layer 7 and Layer 3/4 DDoS attacks, and why do mitigations differ?

Question

Accepted Answer

The difference comes down to **which part of the stack the attack abuses**, and that dictates how you detect and stop it. Layer 3/4 attacks are about **raw volume**; Layer 7 attacks are about **expensive, realistic-looking requests**.

## Layer 3/4 — volumetric / network attacks

These target the **network and transport layers** and try to saturate bandwidth or exhaust connection state, not your application logic.

- **SYN flood** — opens TCP handshakes but never completes them, filling the connection table until legitimate clients cannot connect.
- **UDP flood** — blasts UDP packets at random ports, forcing the host to process and reply.
- **Amplification / reflection** (DNS, NTP, memcached) — spoofs the victim's IP so small queries trigger huge replies aimed at the victim, multiplying attacker bandwidth 50-500x.

**Mitigation** is about absorbing or filtering packets: **SYN cookies** (so the server holds no state until the handshake completes), **anycast + scrubbing centers** to spread and clean the flood across global capacity, and **upstream/ISP filtering** to drop spoofed or junk packets before they reach you. The packets themselves are obviously malformed or unsolicited, so filtering is mechanical.

## Layer 7 — application attacks

These target the **application layer (HTTP)** with requests that look completely legitimate.

- **HTTP flood** — floods real endpoints (`GET /search?q=...`, `POST /login`) so each request forces a database query, render, or auth check.

The danger is **asymmetry**: a tiny request can cost you a heavy query, so far less bandwidth takes you down. And because each request is well-formed, packet filtering cannot tell it from a real user.

**Mitigation** must be smarter than filtering: a **WAF** to match malicious patterns, **rate limiting** per IP/user/token, and **behavioral analysis** (challenge pages, JS/CAPTCHA, fingerprinting) to separate bots from humans.

## Why detection differs

```text
Layer 3/4 : detect by VOLUME + protocol anomalies -> filter/absorb packets (cheap to spot)
Layer 7   : detect by BEHAVIOR (looks like real traffic) -> needs request-level intelligence
```

## Why it matters

You cannot defend both with one tool. A scrubbing center that crushes a 1 Tbps UDP flood will wave through a 50,000-request-per-second HTTP flood, because each request looks valid. Senior engineers identify the layer first, then reach for the matching control — packet-level scrubbing and anycast for volumetric attacks, request-level WAF, rate limiting, and behavioral challenges for application floods.