Apa bedane antara Layer 7 lan Layer 3/4 DDoS attacks, lan kenapa mitigasi-ne beda?

Question

Accepted Answer

Bedane mudhun ing **bagian mana saka stack sing diserang**, lan iku sing nentokake carane ngdeteksi lan ngalang. Layer 3/4 attacks yaiku babagan **raw volume**; Layer 7 attacks yaiku babagan **expensive, realistic-looking requests**.

## Layer 3/4 — volumetric / network attacks

Lanang target **network lan transport layers** lan nyoba jenuh bandwidth utawa mung habis connection state, ora logic aplikasi-mu.

- **SYN flood** — buka TCP handshakes nanging ora ngrampungne, ngisi connection table nganti clients sah ora bisa connect.
- **UDP flood** — mbletok UDP packets ing random ports, meksa host ngolah lan mangsuli.
- **Amplification / reflection** (DNS, NTP, memcached) — spoofs IP korban supaya queries cilik micu balasan gedhe ngarah korban, dadi bandwidth attacker kalian 50-500x.

**Mitigation** yaiku babagan nyerep utawa nyaring packets: **SYN cookies** (supaya server ora dadi state nganti handshake rampung), **anycast + scrubbing centers** supaya nyebar lan ngresiki flood ing kapasitas global, lan **upstream/ISP filtering** supaya tumpas packets sing di-spoof utawa junk sadurunge tekan kowe. Packets iku sinau malformed utawa unsolicited, dadi filtering iku mechanical.

## Layer 7 — application attacks

Lanang target **application layer (HTTP)** karo requests sing katon legitimate banget.

- **HTTP flood** — mbletok endpoints sejati (`GET /search?q=...`, `POST /login`) supaya saben request meksa database query, render, utawa auth check.

Bahaya yaiku **asymmetry**: request cilik bisa mbayar kowe query abot, dadi bandwidth sithik njupuk sampeyan. Lan amarga saben request iku well-formed, packet filtering ora bisa mbedakne saka real user.

**Mitigation** kudu luwih pinter saka filtering: **WAF** supaya klop patterns jahat, **rate limiting** per IP/user/token, lan **behavioral analysis** (challenge pages, JS/CAPTCHA, fingerprinting) supaya pisahke bots saka manungsa.

## Kenapa detection beda

```text
Layer 3/4 : detect by VOLUME + protocol anomalies -> filter/absorb packets (cheap to spot)
Layer 7   : detect by BEHAVIOR (looks like real traffic) -> needs request-level intelligence
```

## Kenapa iku penting

Kowe ora bisa ngalang loro-roan karo siji tool. Scrubbing center sing ngremuk 1 Tbps UDP flood bakal mahali HTTP flood 50,000-request-per-second, amarga saben request katon valid. Senior engineers ngidentifikasi layer pisanan, banjur raih kontrol sing klop — packet-level scrubbing lan anycast kanggo volumetric attacks, request-level WAF, rate limiting, lan behavioral challenges kanggo application floods.