Layer 3-4 DDoS Protection: Network & Transport Layer Defense
1.6 Tbps volumetric attack mitigation via BGP anycast. SYN floods, UDP floods, amplification attacks filtered in <3 seconds. Zero latency penalty for always-on mode.
Get Protected NowNetwork and transport layer DDoS protection defending against volumetric attacks that aim to saturate bandwidth or exhaust network infrastructure. Our globally distributed scrubbing centers absorb multi-terabit attacks before they reach your network.
Layer 3-4 protection is a core component of our DDoS protection services, designed specifically for high-bandwidth floods, protocol exploits, and reflection attacks that target the network and transport layers.
Built for network operators, ISPs, and infrastructure providers facing volumetric threats. BGP anycast routing directs attack traffic to the nearest scrubbing center where sophisticated filtering drops malicious packets while legitimate traffic flows through unaffected.
What are Layer 3-4 Attacks?
Layer 3-4 attacks target the network layer (IP) and transport layer (TCP/UDP) of the OSI model. Unlike application-layer attacks that exploit web server logic, these attacks aim to consume network bandwidth, exhaust state tables, or overflow connection queues.
Volumetric attacks flood targets with massive packet volumes (often 100+ Gbps). Reflection/amplification attacks abuse open DNS resolvers, NTP servers, or SSDP services to multiply attack traffic. Protocol attacks like SYN floods exploit TCP handshake mechanics to exhaust server resources.
Target Layers
Layer 3 (Network)
IP layer attacks: ICMP floods, IP fragmentation, spoofed packets. Overwhelm routers and network infrastructure.
Layer 4 (Transport)
TCP/UDP attacks: SYN floods, UDP floods, ACK floods. Exhaust connection tables and bandwidth.
Common Attack Types
SYN Flood
Exploits TCP handshake by sending SYN packets without completing connection. Exhausts server connection table. Mitigated via SYN cookies and rate limiting.
UDP Flood
Floods target with UDP packets, often to random ports. No handshake required, easy to spoof. Filtered based on rate and legitimacy.
ICMP Flood (Ping of Death)
Overwhelms target with ICMP echo requests. Simple but effective bandwidth saturation. Rate limited at scrubbing centers.
DNS Amplification
Abuses open DNS resolvers to amplify attack traffic 50-100x. Spoofed source IPs direct responses to victim. Filtered via source validation.
NTP Amplification
Exploits NTP monlist command for amplification factors up to 500x. Legacy protocol vulnerability. Blocked at network edge.
SSDP Reflection
Abuses Universal Plug and Play (UPnP) for reflection attacks. Common with IoT botnets. Identified and dropped via signature matching.
How Our Protection Works
BGP Anycast Routing
Your IP ranges announced from 15 global scrubbing centers via BGP. Attack traffic automatically routed to nearest facility for local mitigation.
Traffic Analysis
All traffic flows through scrubbing infrastructure. Flow analysis and packet inspection identify anomalies in real-time.
Attack Detection
Baseline traffic patterns established. Deviations trigger automatic detection: sudden traffic spikes, unusual protocols, spoofed sources.
Filtering & Scrubbing
Malicious packets dropped at scrubbing center. Sophisticated filtering rules identify and block attack signatures while preserving legitimate traffic.
Clean Traffic Forwarding
Only legitimate traffic forwarded to your origin. GRE tunnel or direct connection delivers clean packets with minimal latency.
Technical Capabilities
| Mitigation Capacity | 1.6 Tbps total network capacity |
| Per-Attack Capacity | Up to 500 Gbps per customer |
| Scrubbing Centers | 15 global locations (Europe, NA, Asia) |
| Latency Impact | Zero (always-on mode), <3 second activation (on-demand) |
| BGP Anycast | Automatic traffic routing to nearest scrubbing center |
| IP Support | IPv4 and IPv6 |
| Filtering | Stateless ACLs, rate limiting, protocol validation, GeoIP |
| Protection Modes | Always-on or on-demand activation |
| Uptime SLA | 99.99% |
Detection & Mitigation
Automatic Detection
Continuous monitoring of traffic patterns. Machine learning baselines detect anomalies within seconds. No manual intervention required.
Real-Time Mitigation
Attack mitigation active within 3 seconds of detection. Always-on mode provides instant protection with zero activation delay.
Baseline Learning
System learns normal traffic patterns for your infrastructure. Seasonal variations, traffic spikes, and legitimate bursts accounted for.
Flow Analysis
NetFlow/sFlow analysis provides visibility into attack sources, protocols, and patterns. Historical data aids forensic investigation.
Custom Filtering
Create custom ACLs for specific threats. Rate limiting per protocol or port. GeoIP blocking for specific countries or ASNs.
Instant Alerts
Real-time notifications via email, SMS, webhook. Attack dashboards with live traffic graphs and mitigation status.
Layer 3-4 vs Layer 7 Protection
| Feature | Layer 3-4 Protection | Layer 7 Mitigation |
|---|---|---|
| Target Layer | Network & Transport (IP, TCP, UDP) | Application (HTTP, DNS, APIs) |
| Attack Types | SYN flood, UDP flood, ICMP flood, amplification | HTTP flood, Slowloris, bot attacks, API abuse |
| Attack Volume | High bandwidth (often 100+ Gbps) | Low-medium bandwidth (request-based) |
| Detection Method | Flow analysis, rate anomalies, protocol validation | Behavioral analysis, bot fingerprinting, AI learning |
| Mitigation Speed | <3 seconds (automatic) | <30 seconds (AI classification) |
| Latency Impact | Zero (always-on) | <5ms (traffic inspection) |
| Use Case | Network infrastructure, ISPs, game servers | Web applications, APIs, SaaS platforms |
Recommendation: Deploy both layers for comprehensive protection. Layer 3-4 handles volumetric floods while Layer 7 defends application logic.
Frequently Asked Questions
Common questions about network layer DDoS defense
Request DDoS Protection Quote
Discuss your infrastructure requirements with our DDoS mitigation specialists.
Get Protected Now