(2/3) Layer 3 and 4 DDoS Attacks: Vectors, Operation, and Defense

This is the second installment on DDoS threats, where we delve into the network and transport layers to analyze the most common vectors, how they operate, and why they are so effective. In this article, we will thoroughly analyze how DDoS attacks work at these layers, how to identify them using monitoring tools and techniques, and what strategies can mitigate their impact. As these layers are essential for the functioning of any communication on the Internet and, due to their critical role, are especially vulnerable to causing widespread disruptions with severe consequences.

In an increasingly interconnected world, the availability of digital services has become a fundamental pillar for businesses, institutions, and users. However, this dependence also implies greater exposure to threats that seek to interrupt it. Among these, DDoS attacks stand out for their ability to paralyze entire infrastructures in a matter of minutes. Although application layer (layer 7) attacks often grab headlines due to their sophistication, those focused on the lower layers of the OSI model, layer 3 (Network) and layer 4 (Transport), can be equally or even more dangerous, as they do not require exploiting specific application vulnerabilities but merely saturating basic network resources to cause a total service outage.

These attacks can be massive, difficult to trace, and highly disruptive. From ICMP packet floods to waves of incomplete TCP connections, attackers exploit the basic architecture of the Internet to cause collapses that many organizations do not know how to detect or stop in time.

Layer 3 (Network) of the OSI model, responsible for routing and delivering IP packets across multiple networks, presents a significant attack surface due to the simplicity of its protocols and the absence of native authentication or source verification mechanisms. This combination makes it especially susceptible to volumetric and saturation attacks.

Among the most common threats are techniques such as ICMP Flood, Smurf attack, and malicious IP fragmentation, designed to exhaust bandwidth or processing resources of routers and firewalls. However, there are also more advanced vectors that exploit misconfigured network services (e.g., insecure dynamic routing systems) or compromised devices to amplify traffic using botnets and generate distributed attack patterns that are difficult to filter.

This type of attack can quickly overwhelm infrastructure capabilities even in highly redundant environments, so its detection and mitigation require continuous monitoring, intelligent traffic filtering, and real-time network-level response strategies.

Below, we delve into the main layer 3 attacks:

ICMP Flood

This technique consists of sending a massive number of ICMP Echo Request (ping) packets to a target system. Although each individual packet is small, the total volume of traffic generated can saturate available bandwidth, excessively consume CPU resources, and overflow the processing tables of intermediate devices such as routers, firewalls, and load balancers. As it is a stateless protocol, each request must be processed individually, forcing the system to dedicate a significant part of its resources to responding, severely affecting overall performance. This type of attack can be difficult to filter without deep inspection mechanisms or ICMP traffic control policies. To mitigate it, it is necessary to limit the ICMP response rate, apply filtering rules on perimeter devices, and use anomaly detection systems.

Smurf Attack

The Smurf Attack uses ICMP traffic amplification through broadcast addresses. The attacker sends ICMP Echo Request (ping) packets to the broadcast address of an intermediate network, spoofing the source IP address to match that of the victim. As a result, all devices connected to that network simultaneously respond with ICMP Echo Reply packets directed to the victim, generating a flood of traffic that can saturate its bandwidth, overload the CPU, and destabilize network devices. This attack relies on multiplying traffic through misconfigured networks that allow responses to broadcast requests, making it an effective form of amplification. To mitigate it, ICMP response to broadcast addresses must be disabled on routers and switches, ICMP traffic filters must be applied on firewalls, and anomaly detection systems must be used.

IP Fragmentation Attack

This consists of sending maliciously fragmented IP packets, either with incorrect structures, manipulated fragments, or incomplete sequences, preventing the destination system from reassembling them correctly. This behavior forces the host or network device to temporarily store the fragments in memory, awaiting the arrival of missing parts, which increases buffer usage, processing load, and consumption of critical resources such as RAM and CPU. If the flow of invalid fragments is constant, it can lead to system resource exhaustion, excessive latency, internal table overflows, and, in extreme cases, cause operational failures or unexpected reboots. This type of attack takes advantage of the IP protocol's reassembly logic, which by design must retain fragments for a certain time, making it an effective vector for saturating poorly protected devices. To help mitigate it, deep packet inspection policies should be applied, limits on fragment management should be set, and firewalls or IDS/IPS capable of detecting anomalous patterns in fragmented traffic should be used.

CLDAP Amplification

The CLDAP Amplification Attack is a distributed denial-of-service (DDoS) technique that exploits the connectionless version of the LDAP protocol, known as CLDAP (Connectionless LDAP), primarily used in Windows environments for fast queries. In this attack, the attacker sends manipulated CLDAP requests with the victim's spoofed IP address as the source to misconfigured or vulnerable CLDAP servers. These servers respond with packets significantly larger than the original request, generating traffic amplification that can reach up to 70 times the size of the initial packet. This massive response is directed directly to the victim, saturating their bandwidth, overloading their network resources, and causing severe performance degradation or even total service interruption. To mitigate this type of attack, CLDAP should be disabled on servers that do not require it, traffic filters should be applied at the network perimeter, and anomaly detection systems that identify amplification patterns should be used.

ESP Flood

This attack is based on sending massive encrypted traffic using the ESP (Encapsulating Security Payload) protocol, an essential component of the IPsec security suite. As it is encrypted content, traditional security devices, such as firewalls, intrusion prevention systems (IPS), or deep packet inspection (DPI) tools, cannot analyze or validate the content of the traffic, forcing them to process it without visibility or contextual control. This limitation exposes the infrastructure to processing overload, as devices must manage large volumes of data without being able to apply effective filtering policies. In environments where IPsec is enabled for secure communications, this type of attack can degrade the performance of security systems, slow down legitimate traffic, and facilitate the evasion of other hidden threats. To mitigate it, encrypted traffic segmentation should be performed, rate limits should be applied to IPsec interfaces, and security solutions capable of efficiently managing encrypted flows should be used.

DNS Flood (Infrastructure)

DNS Flood, although originating at layer 7 using the DNS protocol, generates a significant impact on lower layers, layer 3 (IP) and layer 4 (UDP), by using techniques such as massive flooding of false requests or traffic amplification. The attacker sends large volumes of manipulated DNS queries, either directly to DNS servers to saturate their processing and response capacity, or indirectly through vulnerable servers that amplify responses to the victim. These responses can be considerably larger than the original requests, allowing for effective traffic amplification. The attack can overflow bandwidth, exhaust network resources, and cause severe degradation of the name resolution service, affecting the availability of applications and services dependent on DNS. To mitigate this type of threat, rate limiting can be implemented, source validation applied, DNS servers with amplification protection used, and anomaly detection systems deployed.

Mirai and variants

Mirai and its variants represent a family of malware designed to compromise misconfigured IoT devices or those with weak credentials, such as IP cameras, home routers, DVR recorders, and other internet-connected equipment, in order to convert them into bots that form part of a distributed botnet. Once infected, these devices begin to generate malicious ICMP, UDP, or TCP traffic directed at specific targets, operating primarily on layers 3 and 4 of the OSI model. This traffic can include flood attacks, amplification, or vulnerability exploitation, and is characterized by its massive volume and distributed origin, making detection and mitigation difficult. Mirai's variants have evolved to incorporate new evasion techniques, persistence capabilities, and compatibility with different hardware architectures. To mitigate its impact, it is recommended to secure IoT devices through firmware updates, changing default credentials, network segmentation, and active traffic monitoring.

All these attack vectors we have just seen demonstrate that layer 3 is not only vulnerable by design but can also be exploited through amplification, evasion, and massive distribution techniques.

Layer 4 of the OSI model, known as the transport layer, is responsible for establishing and maintaining connections between end devices. Critical aspects such as flow control, data segmentation, and delivery reliability are managed here. The most commonly used protocols, TCP and UDP, are essential for almost all modern applications, from web browsing to real-time services.

Precisely because of its central role, this layer is a frequent target of DDoS attacks that seek to disrupt the ability of servers to manage legitimate connections by saturating their resources with malicious or incomplete traffic.

Below, we delve into the main layer 4 attacks:

SYN Flood

SYN Flood exploits the TCP connection establishment process, known as the three-way handshake. The attacker sends multiple SYN packets, usually with spoofed IP addresses, without completing the connection with the corresponding ACK. This forces the server to reserve resources for each request in its half-open connection table, waiting for an ACK that never arrives, which leads to the exhaustion of said table and blocks new legitimate connections. This type of attack can severely degrade system performance, generate high latency, or even cause service outages. To mitigate it, it is necessary to implement mechanisms such as SYN cookies, limit the size of the pending connection queue, use stateful firewalls, and deploy intrusion detection and prevention systems (IDS/IPS), in addition to maintaining constant network traffic monitoring to identify anomalous patterns.

ACK Flood

The ACK Flood attack is a denial-of-service (DoS) variant that consists of sending a massive number of TCP packets with the ACK flag enabled, without a valid TCP session or established connection context. Although these packets are not part of legitimate flows, network devices and servers must process them, which implies consumption of resources such as CPU, memory, and connection state tables. This unnecessary processing can saturate traffic inspection mechanisms, cause overload on firewalls, load balancers or detection systems, and degrade overall system performance. In environments with high performance sensitivity, this type of attack can generate latency, packet loss, and failures in the management of legitimate connections. To mitigate it, deep filtering policies, session-level packet inspection, and traffic anomaly protection systems must be implemented.

UDP Flood

This attack consists of sending a massive number of UDP packets to random ports on a server or network device. Since the UDP protocol is stateless and does not require prior connection establishment, each received packet must be processed individually. If the destination port is closed, the target system responds with an ICMP type 3 code 3 message ("port unreachable"), which generates additional traffic and contributes to saturation. This flood of requests can excessively consume bandwidth, processing capacity, and network resources, affecting the performance of legitimate services. Furthermore, since there is no persistent session, it is more difficult to apply conventional filters, making it an effective attack against poorly protected infrastructures. To mitigate it, anomaly detection systems must be implemented, incoming UDP traffic must be limited, unnecessary ICMP responses must be blocked, and firewalls with specific rules for stateless traffic must be used.

TCP Connection Flood

The TCP Connection Flood attack, unlike SYN Flood, establishes complete TCP connections through the full three-way handshake process. The attacker generates thousands of simultaneous sessions that remain open and unused, forcing the server to maintain allocated resources for each active connection, including memory, entries in the state table, and CPU cycles. This accumulation of inactive sessions can saturate the system's capacity to manage new connections, leading to performance degradation, high latency, and blocking of legitimate services. Furthermore, since these are valid connections from a protocol standpoint, it is more difficult to detect and filter them using conventional mechanisms. To mitigate this type of attack, it is important to establish limits on the number of connections per IP, reduce the idle timeout, implement load balancers with session control, and use anomalous behavior detection systems.

TCP Reset Attack

The TCP Reset attack is a session hijacking technique that involves sending TCP packets with the RST (Reset) flag enabled to active client-server connections. If these packets contain the correct parameters, such as a valid IP address, the correct port, and a sequence number within the expected range, the receiver interprets the signal as a legitimate command to immediately close the connection, causing its abrupt termination. This type of attack does not require saturating the system with large volumes of traffic; instead, it relies on the precision of the packets to destabilize specific communications. It is particularly critical in networks where sensitive or real-time data is transmitted, such as financial services, voice applications, or industrial systems. To mitigate it, the use of session encryption (such as TLS), strict TCP sequence validation, and deep packet inspection (DPI) tools are crucial.

Layer 4 attacks are especially dangerous because they simulate legitimate behavior, making detection difficult without deep inspection tools. The key is to combine stateful analysis, intelligent filtering, and advanced perimeter protection to keep the infrastructure resilient.

Detecting DDoS attacks at layers 3 and 4 of the OSI model requires a comprehensive strategy that combines full traffic visibility, deep pattern analysis, and intelligent event correlation. Unlike Layer 7 attacks, which directly affect the application, attacks on lower layers often masquerade as legitimate traffic, complicating their identification. To achieve effective detection, it is essential to implement real-time monitoring using tools such as Wireshark, tcpdump, or TShark, along with telemetry and network flow systems (NetFlow, sFlow, IPFIX) that allow for the identification of anomalies such as sudden spikes in ICMP, SYN, or UDP packets, distributed traffic from multiple IPs, or the use of random ports. This data, cross-referenced with firewall state tables and session counters, allows for the detection of patterns such as a SYN Flood, where SYN packets significantly outnumber ACKs in short intervals.

In addition to monitoring, analyzing system logs and metrics is crucial. Firewall logs, operating systems, and network devices can reveal attack attempts through indicators such as malformed packets, inconsistencies in TCP flags, IP fragmentation errors, or buffer saturation. Performance metrics, such as CPU usage, memory, number of concurrent connections, and TCP session states (SYN_RECV, TIME_WAIT, etc.) provide clear signals of stress on the infrastructure. Tools such as SNORT, Suricata, and next-generation firewalls (NGFW) allow for deep packet inspection and signature-based detection, while scrubbing centers like those from Arbor or Akamai filter malicious traffic before it reaches the internal network.

Currently, many modern systems incorporate behavior-based detection, using statistical modeling and machine learning to identify deviations from normal traffic. This technique allows for the detection of attacks like Mirai, where IoT devices generate anomalous traffic without apparent cause. The key is to establish dynamic thresholds, correlate multiple sources (traffic, performance, logs), and visualize real-time metrics with tools like Grafana and Prometheus. Add-ons like Zabbix or Nagios help generate proactive alerts, while geographical and contextual detection becomes essential for distributed attacks. Together, early detection depends on a security architecture that integrates visibility, analysis, and automated response, adapting to the constant evolution of threats at the network and transport layers.

To mitigate DDoS attacks at layers 3 and 4, it is necessary to efficiently combine intelligent filtering, state-based protection, cloud scrubbing services, and a resilient architecture. Traffic control techniques such as rate limiting, access control lists (ACLs), geo-blocking, and blackholing/sinkholing help reduce the attack surface by blocking malicious packets before they saturate resources. These measures are especially effective against attacks such as ICMP Flood or UDP Flood, where the volume of packets can overwhelm processing capacity. At the protocol level, mechanisms such as SYN cookies, stateful firewalls, and aggressive timeouts help mitigate attacks such as SYN Flood and TCP Connection Flood, preventing incomplete connections from consuming unnecessary resources.

Modern defense also relies on cloud-based scrubbing and mitigation services, such as those offered by Imperva, Radware, Cloudflare, or Akamai, which redirect traffic to specialized centers capable of filtering malicious packets in real time. Anycast routing allows traffic to be distributed among multiple nodes, avoiding single points of failure and absorbing volumetric attacks without affecting the origin server. Complementarily, a resilient architecture with load balancers, geographical redundancy, and network segmentation ensures that critical services remain operational even under attack. This segmentation is key against threats such as IP Fragmentation Flood, where isolating segments helps contain the impact. Furthermore, continuous monitoring through SIEM systems, dashboards with key metrics, and automation with SOAR platforms allows for the detection of patterns such as SYN Flood and the activation of defensive responses without human intervention.

Finally, periodic stress tests and simulations are essential to validate the effectiveness of defenses. Tools such as LOIC, Hping3, or custom scripts allow for simulating attacks without compromising production environments, while post-attack analysis of logs and metrics helps identify weaknesses and adjust the strategy. In the ecosystem of available tools to counter DDoS attacks at layers 3 and 4, there are widely used solutions such as Imperva DDoS Protection, Radware DefensePro, Cloudflare Magic Transit, Zabbix, Grafana, Suricata, SNORT, among many others. Each of them fulfills specific functions in detection, filtering, and response processes to threats, depending on the environment and the technical requirements of each infrastructure. Key best practices include keeping mitigation always active, separating legitimate from malicious traffic through IP reputation and behavioral analysis, scaling defenses without sacrificing performance, and constantly updating rules and signatures to adapt to evolving threats. This combination of technology, architecture, and proactive vigilance is the foundation of robust defense against DDoS attacks at lower layers.

As has been seen, defense against DDoS attacks is not a single solution, but an ecosystem of technologies, processes, and best practices that must evolve at the pace of threats. The combination of early detection, automated mitigation, and structural resilience is what guarantees the availability, stability, and security of services in increasingly hostile environments.

The main types of attacks at these layers, their characteristic indicators, the most effective tools for their detection, and the recommended mitigation strategies have been comprehensively addressed, demonstrating that effective defense requires not only deep traffic visibility and contextual analysis, but also a resilient architecture, automated responses, and collaboration with specialized cloud mitigation services.

In short, protection against DDoS attacks at lower layers cannot depend on isolated solutions. It is necessary to implement a strategy that integrates technology, operational planning, and effective security measures, with the aim of ensuring service continuity in an increasingly vulnerable and demanding digital environment.

Iván Domínguez, Senior Analyst at Zerolynx by Cybertix.