Featured-image-Blog-IT-Guide-DDoS-Layers-part2.png

The IT Guide to DDoS: Layer 4 – What You Need to Know (Part 2)

This post is part of a series about Layer 3, Layer 4, and Layer 7 DDoS attacks. 

Layer 4 DDoS attacks are particularly dangerous because they focus on overloading the transport layer protocols – without necessarily needing to consume vast amounts of bandwidth. Layer 4 attacks target the transport layer in the Open Systems Interconnection (OSI) model.

OSI-Model-Diagram-Layer-4.jpg

Layer 4 of the OSI Model: One of the Key Targets for DDoS Attacks

 

Layer 4 DDoS attacks disrupt the communication protocols responsible for data transfer between systems. They enable attackers to cause significant disruption using relatively small amounts of traffic – by exploiting vulnerabilities in TCP/UDP connections. Compare this to Layer 3 (network layer) DDoS attacks, which involve sending vast amounts of traffic simultaneously. Here’s how they work:

Exploiting Protocols that are Essential for Communication

Layer 4 DDoS attacks aim to exploit vulnerabilities in protocols that are vital for establishing connections between devices on a network, including:

  • Transmission Control Protocol (TCP): Provides reliable, ordered, and error-checked delivery of data
  • User Datagram Protocol (UDP): Delivers data without verifying its reception; a connectionless protocol, it is often used for real-time applications like video streaming

SYN Floods

SYN floods are one of the most common types of Layer 4 DDoS attack. SYN floods target the TCP handshake, which is also known as a three message handshake or SYN-SYN-ACK. Here’s how SYN floods work:

  1. When a client initiates a connection with a server, it sends a SYN (i.e., synchronize) packet to begin the three-way handshake.
  2. The server responds with a SYN-ACK (synchronize-acknowledgment) packet
  3. In a SYN flood attack, the attacker either sends no ACK (acknowledgment) in response or sends a flood of SYN requests. This leaves many half-open connections on the server, which exhausts server resources and prevents legitimate users from establishing connections.

UDP Floods

UDP floods are another type of Layer 4 DDoS attack. In a UDP flood, the attacker sends a large number of UDP packets to random ports on a target server.

Since UDP is connectionless, the target server must respond with ICMP “destination unreachable” messages if no application is listening on the port. This wastes bandwidth and processing power, leading to service disruption.

ACK Floods

ACK floods are a type of Layer 4 DDoS attack that floods a target server with TCP ACK packets, overwhelming its ability to process these acknowledgments.

ACK floods target the server’s ability to manage its resources by sending an unusually large number of ACK packets, often causing server overload and downtime.

Two Ways that Layer 4 Attacks Can Affect Your Online Services

DDoS attacks can exhaust the server’s capacity to manage connection state or overwhelm the bandwidth or computing resources of the network.

1. Exhausting the Server’s Capacity to Manage Connection States

One of the primary features of Layer 4 DDoS attacks is that they attempt to exhaust the server’s capacity to manage connection states – i.e., bringing them to connection state overload.

In TCP-based attacks like SYN floods, for example, the server allocates memory and resources for each connection attempt. If the attacker initiates a large number of fake connections, the server quickly runs out of resources, causing it to slow down or crash.

As a result, the server can end up in a compromised position with:

  • Half-open connections: With SYN floods, many connections remain in a half-open state, consuming resources without being completed.
  • Overloaded connection tables: Routers and firewalls that track connection states can also be overwhelmed by Layer 4 DDoS attacks, as they have finite space for tracking these connections.

2. Overwhelming the Bandwidth or Computing Resources of the Target’s Network

Layer 4 DDoS attacks often rely on bringing the target network to a state of bandwidth and resource exhaustion. The goal is to send a flood of packets (whether SYN, UDP, or ACK packets) at a rate that exceeds the target’s capacity to process them. This can lead to:

  • Bandwidth saturation: The network bandwidth is fully consumed, preventing legitimate traffic from reaching the server.
  • Server resource exhaustion: The target’s CPU, memory, and other resources are overwhelmed by the sheer volume of traffic.

Amplification Techniques Involving an Intermediary Server

Attackers sometimes use amplification techniques in Layer 4 attacks, especially in UDP reflection/amplification attacks. In these attacks, the attacker sends small requests to an intermediary server that responds with a much larger reply, which is then directed toward the target (victim).

Examples include DNS amplification or NTP amplification attacks. This approach allows attackers to greatly increase the volume of traffic directed at the victim while using minimal resources.

How to Mitigate Layer 4 DDoS Attacks

Methods of mitigating Layer 4 DDoS attacks include:

  • SYN cookies: A technique where the server sends back minimal state information with its SYN-ACK response, only allocating resources when the client responds with the correct ACK.
  • Rate limiting: Limiting the number of TCP/UDP requests a server will process per second can reduce the impact of an attack.
  • Stateful firewalls and Intrusion Prevention Systems (IPS): These can detect abnormal traffic patterns (like a flood of SYN or UDP packets) and filter out malicious traffic.
  • DDoS mitigation solutions: Specialized DDoS protection solutions can reroute traffic through scrubbing centers that filter out malicious traffic and allow legitimate traffic to pass through.

Continuous DDoS Vulnerability Testing Enables the Proactive Elimination of DDoS Attacks

Unlike other types of cyber attacks, the only way DDoS attacks can succeed in creating damaging downtime is via a DDoS vulnerability in the DDoS protections deployed. Vulnerabilities tend to arise from misconfigurations in DDoS protection security policies that bring down online services.

The best way to minimize DDoS vulnerabilities involves continuously testing your organization’s DDoS protections, monitoring for and fixing misconfigurations, and re-validating that those vulnerabilities have not returned.

MazeBolt RADAR™ is a DDoS vulnerability management solution that runs continuous attack simulations to uncover vulnerabilities that can cause damaging attacks and interrupt business continuity. RADAR provides organizations with the required insights to identify DDoS vulnerabilities proactively and automatically, without downtime. Through continuous validation of DDoS defenses, you can reduce the risk of a successful attack.

To learn more about DDoS Vulnerability Management, speak with a MazeBolt expert.

This is the second post in a series about  different types of DDoS attacks. Click here to read the post about Layer 3.

Stay Updated.
Get our Newsletter*

Recent posts

Latest DDoS Research from MazeBolt

dora blog

6 Months Until DORA Regulations Kick In. Are You Ready?

DDoS attacks increased in Europe by 73 percent this year – and in 50 percent of the cases, financial services companies were the target. With this steep rise in DDoS attacks, what can financial services organizations do to achieve business continuity? And how does this relate to the EU’s new Digital Operational Resilience Act (DORA)? […]

Read More >

MazeBolt RADAR™ DDoS Testing is now available in Microsoft Azure

At MazeBolt, our mission is to identify and enable remediation of all DDoS vulnerabilities ahead of time. We’re excited to announce our collaboration with Microsoft Azure, giving our mutual customers the ability to use non-disruptive DDoS testing for the first time. This adds a new level of visibility and enables increased protection on Microsoft Azure. […]

Read More >
Doing Business in the EU? October 17 is the NIS2 Deadline

Doing Business in the EU? October 17 is the NIS2 Deadline

The NIS2 Directive's compliance deadline for EU businesses is October 17, 2024, with severe penalties for non-compliance. It strengthens cybersecurity requirements, focusing on protecting critical infrastructure and mitigating risks such as DDoS attacks.

Read More >

F5 Joins MazeBolt’s Preferred Remediation Program

F5, The global leader in multi-cloud application security and delivery, is now a part of MazeBolt’s Preferred Remediation Technology Alliance Program. This program is the first of its kind and the only combined solution on the market that ensures maximal DDoS protection for mutual customers. In this blog, originally published here, F5’s Yuichi Miyazaki interviews […]

Read More >

Stay Updated - Get Our Newsletter

Stay Updated - Get Our Newsletter