Layer 3 DDoS attacks use layer 3 protocols, especially ICMP, to take down targeted servers, websites, or applications.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A distributed denial-of-service (DDoS) attack attempts to overwhelm its target with large amounts of data. A DDoS attack is like a traffic jam clogging up a freeway, preventing regular traffic from reaching its destination.
Layer 3 DDoS attacks target layer 3 (L3) in the OSI model. Like all DDoS attacks, the goal of a layer 3 attack is to slow down or crash a program, service, computer, or network, or to fill up capacity so that no one else can receive service. L3 DDoS attacks typically accomplish this by targeting network equipment and infrastructure.
There are a few important differences between layer 3 DDoS attacks and attacks at the higher layers:
The OSI model is a conceptual model of how the Internet works. The main goals of the OSI model are to help people talk about networking equipment and protocols, determine which protocols are used by which software and hardware, and show how the Internet can function regardless of the underlying hardware.
The OSI model divides the different technologies that make the Internet work into layers. There are seven layers in total:
OSI layer 3 is called the network layer. Layer 3 comprises the protocols and technologies that make interconnected networks – in other words, the Internet – possible. This layer is where routing across networks takes place. Data that traverses networks is divided into packets, and these packets are addressed and sent to their destinations at layer 3. The most important protocol for this process is the Internet Protocol (IP).
Protocols at layer 3 do not open connections, ensure reliable data delivery, or indicate which service on the targeted device should use the data; those are layer 4 processes. Layer 4 involves the use of transport protocols like TCP and UDP. Sending packets across networks without a layer 4 transport protocol is like mailing a letter to an address without making sure that the address is correct, including the name of a specific person at that address who should open the letter, or using a reputable postal delivery service. The data may arrive, or it may not. This is why many layer 3 protocols are always used in conjunction with a layer 4 transport protocol that ensures the data goes to the right place.
However, it is still possible to send data packets to a network destination over IP without the use of a transport protocol.
As layer 3 is connectionless, layer 3 DDoS attacks do not need to open a connection via TCP or indicate port assignments. Layer 3 DDoS attacks target the network software a computer is running instead of a specific port.
These are the most widely used layer 3 protocols, and the ones most likely to be used in a DDoS attack:
IP: The Internet Protocol (IP) routes and addresses packets of data so that they arrive at the correct destination. Every device that connects to the Internet has an IP address, and the IP protocol attaches the correct IP address to each data packet – like addressing a letter to someone.
IPsec: IPsec is actually a suite of several protocols, not a single protocol. IPsec is the encrypted version of IP used by VPNs, similar to the difference between HTTPS and HTTP.
ICMP: The Internet Control Message Protocol (ICMP) handles error reports and testing. A connectionless protocol, ICMP does not use a transport protocol like TCP or UDP. Rather, ICMP packets are sent over IP alone. Developers and networking engineers use ICMP for its ping and traceroute functions. Typically only one ICMP packet needs to be sent at a time.
Other layer 3 protocols include:
Attacks are theoretically possible using any of these protocols. ICMP is commonly used to flood a server with too many pings to respond to, or with one large ping packet that crashes the receiving device (this is known as the "ping of death"). Attackers can use IPsec to flood the target with junk data or overly large security certificates.
However, not all of these protocols are practical for DDoS attacks, and some types of attacks are made impossible by hardware updates. For example, ARP only operates within a local network, so an attacker would first need to connect to the local network before carrying out the DDoS attack. And ICMP ping of death attacks are not possible with modern hardware, which ignores IP packets that are too large.
As with other types of DDoS attacks, the attacker sends a large volume of junk network traffic via these protocols. There are various methods for doing this, depending on the protocol. The junk traffic gets in the way of legitimate user requests, slowing down responses to them or blocking them altogether. Sometimes there is so much junk data that it overwhelms the target's resources, and the target crashes.
While other attacks are possible, including attacks over IP alone, ICMP-based attacks are the most common. Well-known ICMP attacks include:
In addition to blocking DDoS attacks at layers 4 and 7, Cloudflare mitigates layer 3 DDoS attacks. Cloudflare Magic Transit is designed specifically to stop attacks on internal network infrastructure, including DDoS attacks at any layer. The Cloudflare WAF and CDN also stop layer 3 DDoS attacks by only accepting traffic to HTTP and HTTPS ports – these are layer 7 only.
The TCP/IP model is an alternative model of how networking works. Instead of seven layers, the TCP/IP model has four:
4. Application Layer (corresponds to layers 5-7 in the OSI model)
3. Transport Layer (corresponds to layer 4 in the OSI model)
2. Internet Layer (corresponds to layer 3 in the OSI model)
1. Network Access/Link Layer (corresponds to layers 1-2 in the OSI model)
Referencing the TCP/IP model instead of the OSI model, layer 3 DDoS attacks would be called layer 2 DDoS attacks.