Brad Christian

Brad Christian

Senior Search Engine Optimization Specialist

Published
Last Updated
Arrows Pointing to Firewall

Understanding Layer 4 DDoS Attacks and Defenses

Layer 4 DDoS attacks target the transport layer of the network. These attacks disrupt the communication protocols that transfer data between systems, leaving complementary systems unable to transport key data, interrupting availability and hindering user experience. Layer 4 DDoS attacks are especially dangerous because they do not require vast bandwidth consumption to be successful.

Layer 4 attacks attempt to exploit vulnerabilities in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The value of each of these protocols is:

  • TCP: Delivers reliable, error-checked, and ordered data delivery
  • UDP: A connectionless protocol, this delivers data without verifying it is received. Often used for real-time services such as streaming

Common Types of Layer 4 DDoS Attacks

There are three key types of layer 4 DDoS attacks:

  1. SYN Floods: The most common type of Layer 4 attack, targeting the TCP handshake. SYN floods work by sending synchronized (SYN) packets to begin the three-way TCP handshake. From there, the server responds with a synchronize-acknowledgment (SYN-ACK) packet. The attacker then sends no ACK packet back to the server. Instead, it sends a flood of SYN requests, leaving numerous half-open connections, which exhausts the resources of the server, preventing legitimate users from establishing their own connections.
  2. ACK Floods: These attacks flood the server with TCP ACK packets, which overwhelm its acknowledgment processing capabilities. In doing so, the server is unable to manage its resources due to an abnormally large quantity of ACK packets, resulting in server overload and downtime.
  3. UDP Floods: Another layer 4 DDoS attack that aims to waste bandwidth and processing power by sending UDP packets to random ports on a server. Since UDP is connectionless, an ICMP "destination unreachable" message must be returned, leading to wasted resources and, ultimately, downtime and hindered performance.

Layer 4 vs Layer 3 vs Layer 7 DDoS Attacks: Key Differences

While layer 4 DDoS attacks target the transport layer, layer 3 attacks target the network layer, going after key network infrastructure to render certain areas inaccessible. This prevents legitimate users from reaching specific network environments and negatively impacts productivity, profitability, and user experience. Meanwhile, Layer 7 DDoS attacks target the application layer, where users interact with front-facing applications to accomplish tasks. Rendering these services unavailable or slowing them considerably can also have negative impacts on revenue, create user frustrations, and hinder employee productivity.

The key differences between these types of attacks lie in the infrastructure they target as well as the tactics used. Different DDoS attack vectors are different purposes; the attack type needs to be tailored to the target to improve chances of success. Knowing which vectors target which layers can help guide DDoS protection strategies and deployments to successfully mitigate attacks in real-time.

Illustration of Layer 4 DDoS Attack

Impacts of Layer 4 Attacks

As with any DDoS attack, layer 4 attacks can have a variety of significant impacts. The most notable is service disruption or downtime. Due to the exhaustion of transport layer resources, key services and applications can be rendered unavailable because they cannot transmit necessary information to and from the destination. Another impact entities can feel from successful layer 4 DDoS attacks is financial, where downtime leads to lost revenue, whether that be in lost customers, recovery costs, or extortion payments.

Other potential impacts can be operational, such as reduced productivity due to employees' inability to connect to key network areas to perform their duties. Another operational impact is strain on IT resources, as IT teams must shift their attention and resources to attack response and recovery, limiting their ability to address other potential issues.

Reputational damage is another potential impact of layer 4 DDoS attacks. If customers cannot access key services, then the brand can suffer damage, leading to lost customers and potentially reducing customer acquisitions in the future.

Finally, there are security impacts. DDoS attacks are often used as a distraction from other nefarious activities, so while IT and security teams are fighting the DDoS siege, attacks can work to find entry points into the network to gain access and perform a different cyberattack.

Mitigation Strategies for Layer 4 DDoS Attacks

There are multiple ways to mitigate layer 4 DDoS attacks. One method is rate limiting and throttling. This is where the number of requests per second that a server will process from a single IP address or user is limited to prevent attackers from overwhelming network infrastructure with excessive connection attempts. Another mitigation tactic is leveraging SYN cookies. This approach reduces the server's overhead when dealing with malicious SYN requests by only sending back minimal state information with its SYN-ACK response, only allocating resources when the client responds with the correct ACK.

Other defenses include stateful next-generation firewalls (NGFW) or intrusion prevention systems (IPS). These track the state of network connections and identify abnormal traffic patters to block malicious users from connecting. However, due to their stateful nature, they are easy to overload and render unavailable, leaving the door open for attackers to exploit them with a state-exhaustion attack. They are a strong tool but not a comprehensive solution.

How NETSCOUT Helps

NETSCOUT offers multiple dedicated DDoS protection solutions to combat a wide range of attacks. A combined approach leveraging both cloud-based DDoS protection and on-premises, inline DDoS defense is the only way to defend against all types of DDoS attacks. Combine this hybrid approach with industry-leading threat intelligence via ATLAS Intelligence Feed (AIF), and businesses can have a winning combination to help keep your transport layer services performing properly and available.