What are L3 DDoS attacks, and how do they work?
Layer 3 DDoS attacks are a type of cyber assault that targets the third layer of the OSI (Open Systems Interconnection) model, which is responsible for routing data packets across networks. These attacks focus on overwhelming core network devices like switches and routers, which are essential for directing traffic and maintaining network performance.
Any DDoS attack aims to overwhelm the targets with an excess of data or requests. In a Layer 3 DDoS attack, the hacker intends to disrupt the normal functioning of a network by flooding it with an excessive volume of traffic. This is achieved by exploiting vulnerabilities in network protocols such as Internet Protocol (IP), Internet Control Message Protocol (ICMP), and Address Resolution Protocol (ARP). By doing so, attackers can exhaust the resources of network devices, leading to a significant slowdown or a complete crash of the network.
Understanding these attacks is essential for implementing effective security measures to protect network integrity and ensure continuous service availability.
L3, L4, and L7 DDoS attacks – what’s the difference?
To understand better what kinds of DDoS attacks there are and how L3 attacks work exactly, let’s have a look at the entire OSI model:
Layer 3, the network layer in the OSI model, is essential for routing data across interconnected networks like the Internet. It handles the division and addressing of data packets, primarily using the Internet Protocol (IP). Unlike Layer 4 and Layer 7, which involve transport and application layer processes, Layer 3 focuses solely on network routing without establishing connections or ensuring data delivery.
Layer 3 DDoS attacks specifically target this network layer, bypassing the need for transport layer or application layer processes. These attacks do not require opening a TCP connection with the target, nor do they target specific ports. Instead, they flood the network infrastructure with data packets, overwhelming the network software and causing disruptions. By exploiting the connectionless nature of Layer 3, these attacks can saturate network resources without engaging in the more complex processes of higher layers, leading to significant service disruptions.
What are the different types of L3 DDoS attacks?
In this chapter, we are explaining the typically observed types of Layer 3 DDoS attacks and how they function. While these attacks often carry commercial names, our focus is on explaining their technical nature and classifying them to aid in understanding and mitigating their impact. By breaking down these attacks, we aim to provide insights into their mechanisms, helping network professionals develop effective defence strategies.
ICMP Flood
ICMP Flood DDoS attacks are a type of DDoS attack that involves overwhelming a target system with a large volume of ICMP packets. The primary aim is to consume the target’s network bandwidth and processing resources, causing service disruption or making the system unresponsive to legitimate traffic.
ICMP is typically used for diagnostic purposes, such as the “ping” command, which checks the reachability of a host on a network. In an ICMP Flood attack, the attacker sends a high volume of ICMP Echo Request packets to the target. The target system is forced to process and respond to each request with an ICMP Echo Reply, consuming its resources.
When executed as a distributed attack (DDoS), multiple systems are used to send ICMP packets to the target, making it more difficult to mitigate. This distributed nature amplifies the attack’s impact, as the target is bombarded from numerous sources simultaneously.
To defend against ICMP Flood attacks, network administrators can implement measures such as rate-limiting ICMP traffic, configuring firewalls to block excessive ICMP packets, and using intrusion detection systems to identify and mitigate such attacks.
Ping Flood
Ping flood DDoS attacks are a type of denial-of-service attack where the attacker overwhelms a target system with ICMP Echo Request (ping) packets. The goal is to consume the target’s available bandwidth or processing power, rendering it unable to respond to legitimate traffic.
In a typical ping flood, the attacker sends a large number of ping requests to the target. Each request requires the target to send back an ICMP Echo Reply, consuming both incoming and outgoing bandwidth. If the attack is distributed (DDoS), multiple sources send ping requests, making it harder to mitigate.
ICMP Flood and Ping Flood attacks are closely related, but there are subtle differences between them. A Ping Flood is a subset of an ICMP Flood, focusing specifically on ICMP Echo Requests. Both aim to disrupt the target’s ability to handle legitimate traffic by overwhelming it with unnecessary requests.
IP Fragmentation
IP fragmentation attacks exploit the process of dividing large IP packets into smaller fragments to accommodate network transmission limits. These attacks aim to overwhelm a target system’s resources by sending a flood of fragmented packets, causing service disruption or degradation. When a system receives fragmented packets, it must reassemble them to process the data. Attackers take advantage of this by sending excessive or malformed fragments, leading to resource exhaustion or system errors.
Such attacks can bypass security measures, as fragmented packets may evade detection by firewalls and intrusion detection systems. This makes them a potent tool for attackers seeking to disrupt services or exploit vulnerabilities. Defending against IP fragmentation attacks requires robust security configurations, including the use of firewalls to filter suspicious fragments, intrusion detection systems to identify anomalies, and regular system updates to handle malformed packets effectively.
DNS Amplification attacks
DNS Amplification DDoS attacks are a type of DDoS attack that exploits the functionality of open DNS resolvers to overwhelm a target system with a flood of traffic. The attack takes advantage of the fact that DNS queries are typically much smaller than the responses they generate, allowing attackers to amplify their impact. DNS Amplification attacks are particularly effective because they can generate a large amount of traffic with relatively little effort from the attacker.
While DNS itself is an application-layer protocol (Layer 7), the amplification attack focuses on exploiting the network and transport layers to flood the target with traffic rather than directly targeting application-layer functions.
How to mitigate the L3 DDoS attacks?
There are several techniques on how to defend against Layer 3 DDoS attacks, and often, the best defense strategy depends on your specific setup. In this chapter, we will explain these methods briefly.
Blackholing / RTBH
One of the simplest mitigation techniques is blackholing, which involves redirecting traffic from specific IP address ranges to a null route, effectively removing it from the network. While this can quickly eliminate large volumes of malicious traffic, it also discards legitimate traffic from the same IP range. As a result, blackholing is best reserved as a last resort, particularly during large-scale or prolonged attacks. Read a full explanation on how RTBH blackholing works here.
Rate Limiting
Another approach is rate limiting, which controls the volume of traffic allowed to reach the target system. By setting limits on traffic per IP address, this method can prevent overwhelming volumes of malicious traffic. However, it is less effective against attacks using numerous IP addresses and can inadvertently block legitimate traffic if limits are set too low.
Traffic Filtering
Traffic filtering involves identifying and blocking malicious traffic while allowing legitimate traffic to pass through. This technique requires sophisticated analysis to distinguish between harmful and benign traffic. The effectiveness of traffic filtering also depends on the scale of the attack and the capacity of the filtering solution to handle large volumes of data.
Scrubbing Centers
Scrubbing centers provide robust protection by diverting incoming traffic to specialized facilities for analysis and filtering. These centers use advanced technologies and algorithms to remove malicious traffic, forwarding only clean traffic to the target system. With sufficient redundancy, scrubbing centers can effectively manage large-scale attacks, offering a reliable defence against Layer 3 DDoS threats. Read more about scrubbing center automation here.
Conclusion
Layer 3 DDoS attacks pose a significant threat to network infrastructure by targeting the core network layer responsible for routing data packets. These attacks can severely disrupt services by overwhelming essential network devices like routers and switches. Understanding the mechanics of Layer 3 attacks, such as ICMP Floods, Ping Floods, IP Fragmentation, and DNS Amplification, is key to developing effective defence strategies.
Mitigating these attacks requires a multi-faceted approach. Techniques such as blackholing, rate limiting, traffic filtering, and the use of scrubbing centres can provide varying levels of protection. However, each method has its limitations and downsides and may not be sufficient on its own. Some approaches may also be very costly, especially against large-scale or sophisticated attacks.
FastNetMon offers a best-in-class solution for detecting and mitigating Layer 3 DDoS attacks. By providing the fastest attack detection on the market, FastNetMon can identify and implement response actions before the attack causes a disruption. By deploying FastNetMon, organisations can bolster their defences against Layer 3 DDoS attacks, ensuring robust protection for their critical network infrastructure. Read more about our solution here: https://fastnetmon.com/