Layer 3/4 vs Layer 7 DDoS attacks
Understand the difference between volumetric (L3/L4) and application (L7) attacks, how to recognize each and which filters work best.
DDoS attacks are classified by the OSI layer they target. Knowing the difference helps you pick the right profile and avoid wasted mitigation.
Layer 3 / 4 — network and transport
Volumetric attacks aim to saturate the link, state tables or CPU packet processing. They don't require app knowledge.
- UDP flood — thousands of random UDP packets per second.
- SYN flood — TCP handshake exhaustion via half-open connections.
- Amplification — NTP, DNS, Memcached, CLDAP reflection with 50–50 000× multiplier.
- ICMP flood — ping flood, rarely effective today.
Best defense: global Anycast scrubbing — GCore, Path, OVH VAC, Voxility, TNI.
Layer 7 — application
Attacks that look like legitimate traffic. Typically target HTTP, FiveM protocol, Minecraft handshake, etc.
- HTTP GET/POST flood — thousands of "real" requests from a botnet.
- Slowloris — thousands of connections kept open by slow header sends.
- FiveM challenge bypass — mimics legitimate players until it gets a token.
- Minecraft login flood — repeated
0x00 handshakepackets.
Defense relies on challenge systems, per-session rate limits and our Strict / Ultra Strict profiles.
How to tell which attack is happening
- Open the panel and check the Network I/O graph.
- Inbound > 1 Gbps and CPU fine → L3/L4. Mitigation handles it automatically.
- Low bandwidth but server is "suffering" → L7. Open a ticket for a Strict profile switch.