How DDoS Protection Works: L3/L4 vs L7 Attacks Explained

What a DDoS Attack Actually Is

A Distributed Denial of Service (DDoS) attack is simple in concept: overwhelm a target with so much traffic that it can't serve real users. "Distributed" is the key word — the traffic comes from thousands or millions of compromised devices (a botnet), so you can't just block one IP and walk away. Routers, cameras, home PCs, and cloud instances all get conscripted.

The goal isn't to break in. It's to make your site, API, or game server unreachable — costing you sales, players, or reputation while it's down. Attacks range from a few minutes of nuisance traffic to sustained campaigns that last days. The largest volumetric attacks now measured peak in the multi-terabit-per-second range, but most real-world attacks are far smaller — and far cheaper to launch. Booter and stresser services rent attack capacity for as little as $10 to $20.

Understanding how DDoS protection works starts with one distinction: attacks hit either the network layer (L3/L4) or the application layer (L7), and the defenses are not the same.

L3/L4: Volumetric and Protocol Attacks

Layer 3 (network) and Layer 4 (transport) attacks are about raw volume and protocol abuse. They try to saturate your bandwidth or exhaust connection tables before a request ever reaches your application. They're measured in bits per second (bandwidth) and packets per second (pps).

Common types include UDP floods and DNS/NTP amplification, where a small spoofed request triggers a huge response aimed at you (DNS amplification can multiply traffic 50x or more). SYN floods open half-finished TCP connections to fill the connection table. These attacks are loud and dumb — and because they don't care about your application logic, they can be filtered by inspecting packets, not page requests.

• UDP / ICMP floods — brute-force bandwidth saturation.
• Amplification/reflection (DNS, NTP, memcached) — small request, massive reflected response.
• SYN floods — exhaust the TCP connection table with half-open sessions.
• Mitigated by scrubbing at the network edge, before traffic hits your server.

L7: Application-Layer Attacks

Layer 7 (application) attacks are quieter and smarter. Instead of flooding bandwidth, they send requests that look legitimate but are expensive to serve — an HTTP flood hammering your search endpoint, repeated logins, or a wave of requests to a page that runs a heavy database query. A few thousand requests per second can take down a site that easily handles a million packets per second of garbage.

Because each request looks like a real browser, you can't filter L7 attacks on packet shape alone. Defenses rely on behavioral analysis, rate limiting per client, fingerprinting, challenge pages (JavaScript checks or CAPTCHAs), and a Web Application Firewall (WAF) that knows the difference between a human and a bot replaying requests.

This is also where the trade-off bites: block too aggressively and you turn away real customers; too loosely and the attack gets through. Good L7 protection is tuned to your actual traffic, not a one-size rule set.

How Scrubbing and Mitigation Actually Work

Modern DDoS protection routes your traffic through a network of scrubbing centers — high-capacity points of presence whose only job is to inspect incoming traffic, drop the malicious portion, and forward the clean remainder to your server. The combined capacity of that network (measured in Tbps) is what lets a provider absorb an attack far larger than any single server could.

There are two operating modes. Always-on protection keeps every packet flowing through the scrubbing layer at all times, so mitigation is effectively instant. On-demand protection only reroutes traffic once an attack is detected — cheaper, but it adds a detection-and-reroute delay (often tens of seconds to a couple of minutes) during which your service can still go down. For anything where uptime matters, always-on is worth the small latency cost.

The mechanics differ by layer. L3/L4 traffic is filtered with techniques like Anycast (spreading the load across many locations so no single one is overwhelmed), packet-level filtering, and rate limits. L7 traffic gets the WAF, behavioral scoring, and challenge-response treatment. A complete defense covers all of layers 3 through 7 — gaps are exactly what attackers probe for.

What to Look For in DDoS Protection

Not all protection is equal, and the marketing numbers can be misleading. Total network capacity matters, but so does how fast mitigation kicks in and whether it covers the application layer, not just bandwidth. Here's a practical checklist.

• Always-on (not on-demand) if downtime is costly — instant mitigation beats a 60-second reroute.
• Coverage across L3, L4 and L7, including a real WAF — bandwidth-only protection won't stop an HTTP flood.
• High aggregate scrubbing capacity (multi-Tbps) so a large attack can be absorbed.
• Fast time-to-mitigate — single-digit seconds, not minutes.
• No hard cap or per-attack overage billing that punishes you for being targeted.
• Humans you can reach during an incident, not just a dashboard.