15% off your first order:
DDoS Protection

Layer 3/4 vs Layer 7 DDoS attacks

Understand the difference between volumetric (L3/L4) and application (L7) attacks, how to recognize each and which filters work best.

1 MIN

DDoS attacks are classified by the OSI layer they target. Knowing the difference helps you pick the right profile and avoid wasted mitigation.

Layer 3 / 4 — network and transport

Volumetric attacks aim to saturate the link, state tables or CPU packet processing. They don't require app knowledge.

  • UDP flood — thousands of random UDP packets per second.
  • SYN flood — TCP handshake exhaustion via half-open connections.
  • Amplification — NTP, DNS, Memcached, CLDAP reflection with 50–50 000× multiplier.
  • ICMP flood — ping flood, rarely effective today.

Best defense: global Anycast scrubbing — GCore, Path, OVH VAC, Voxility, TNI.

Layer 7 — application

Attacks that look like legitimate traffic. Typically target HTTP, FiveM protocol, Minecraft handshake, etc.

  • HTTP GET/POST flood — thousands of "real" requests from a botnet.
  • Slowloris — thousands of connections kept open by slow header sends.
  • FiveM challenge bypass — mimics legitimate players until it gets a token.
  • Minecraft login flood — repeated 0x00 handshake packets.

Defense relies on challenge systems, per-session rate limits and our Strict / Ultra Strict profiles.

How to tell which attack is happening

  1. Open the panel and check the Network I/O graph.
  2. Inbound > 1 Gbps and CPU fine → L3/L4. Mitigation handles it automatically.
  3. Low bandwidth but server is "suffering" → L7. Open a ticket for a Strict profile switch.
ESC
navigacija otvoriesc zatvori