Table of Contents
Introduction
Mafiaboy. GitHub. Spamhaus. Estonia.
What are some of the most famous Layer 3 DDoS attacks?
Correct!
No, this isn’t a teaser for a particularly geeky episode of “Jeopardy!”
Layer 3 DDoS attacks have been around for decades and in this blog, we’ll explore them further.
From high-profile enterprises and open-source collaboration environments to non-profit organizations and even entire countries. No one is immune to threat actors who set their sights on disrupting service availability via Layer 3 DDoS attacks and, from there, often unleash additional threats including data exfiltration and extortion.
Let’s take a closer look at how Layer 3 DDoS attacks work, their operational impact on organizations, new DDoS challenges, as well as best practices and technologies to mitigate and protect against these evolving attacks.
How Layer 3 DDoS Attacks Work
Layer 3 (the network layer) of the OSI model is responsible for routing and switching data packets to different networks within an organization. Layer 3 DDoS attacks target routers and use network layer protocols (e.g., Internet Procol [IP], Internet Control Message Protocol [ICMP], and Address Resolution Protocol [ARP]) as the initial points of entry to overload networks with large quantities of traffic. Because of this, Layer 3 DDoS attacks are frequently described as protocol-based and volumetric.
Here’s how some of the most common types of network layer DDoS attacks work.
IP Fragmentation DDoS Attacks
IP Fragmentation DDoS attacks take advantage of a vulnerability in how fragmentation works to consume processing power and resources. Under normal conditions, when an IP packet exceeds the Maximum Transmission Unit (MTU) size for a network path, routers split the large packets into smaller fragments. The receiving device reassembles the fragments. IP fragmentation attacks overwhelm the devices with fragmented packets or with incorrect instructions for their reassembly which disrupts the process and brings down service.
Ping (ICMP) Flood DDoS Attacks
ICMP is the protocol that routers use to communicate error information or updates to other network devices. In a Ping (ICMP) Flood DDoS attack, a threat actor sends an excessive number of requests to a router that, in turn, saturates servers with messages. As devices struggle to reply, network performance slows down. Eventually, operations are completely disrupted, and legitimate users can’t use the service.
ARP-based DDoS attacks
ARP connects an IP address to a physical machine via a Media Access Control (MAC) address. When a router doesn’t have a MAC address stored, it sends a message to other machines asking for the matching MAC address. Threat actors can compromise this process to launch ARP-based DDoS attacks by leveraging techniques such as flooding devices with ARP requests, sending ARP replies with incorrect MAC addresses, or flooding a network switch’s MAC address table.
DNS Amplification DDoS attacks
DNS Amplification DDoS attacks aim to bring down Domain Name System (DNS) servers by triggering an amplified response. DNS is a Layer 7 (application layer) protocol that, in this case, is indirectly targeted through a Layer 3 DDoS attack. Attackers send a large number of small DNS queries from a spoofed source IP address to a targeted server. The server then replies with a huge volume of responses that overwhelms its network capacity as opposed to targeting the application layer directly.
The Impact of Layer 3 DDoS Attacks
Layer 3 DDoS attacks compromise the integrity of the network’s basic infrastructure, and they can also be used, as in DNS attacks, to impact web applications specifically. These attacks can have severe technical and business consequences for organizations.
Technical Impact
Network saturation: Excessive Layer 3 traffic overloads the network’s bandwidth and can create congestion which makes it impossible for legitimate users to access internet-facing systems.
System resource exhaustion: As servers attempt to respond to bogus requests, router, firewall, and server CPU cycles become drained. CPU overload and consumption of available memory causes widespread performance issues and, eventually, systems crash.
Business Impact
Service disruption: Network saturation impacts availability of devices and network segments. Websites time-out, cloud-based services are blocked, and applications that rely on the network stop working.
Email disruption: In some cases, such as ICMP floods, inbound emails may bounce and be returned as undeliverable. The server’s IP address could be added to blackhole lists which results in other email servers rejecting messages from the IP address causing further disruptions and need for additional recovery efforts after the attack.
Financial loss: Any compromise to business operations can have financial implications including costs of mitigation and recovery efforts as well as losses in revenue, brand reputation, and customer trust. Follow-on attacks that include data exfiltration and extortion can lead to additional financial damage such as ransom payments and regulatory penalties.
The Evolution of Layer 3 DDoS Attacks Hampers Detection
Corero’s 2025 Threat Intelligence Report confirms that through the use of automation and affordable tools like DDoS-as-a-service and botnets for hire, threat actors with limited technical knowledge can execute DDoS attacks that impact network infrastructure as well as internet-facing services.
Additionally, DDoS attacks have become more difficult to detect and more destructive. The majority of DDoS attacks that we observed in 2024 were under 1Gbps in size. Capable of slipping under traditional volumetric detection mechanisms while still degrading service quality, they are increasingly being used as a strategic tool to:
- Probe for weaknesses attackers can use to launch other types of attacks like data breaches
- Test for mitigation thresholds
- Distract security teams from more targeted activities like ransomware attacks
These smaller attacks are often missed by defenders who chalk them up as random network noise, when in fact they may signal potentially more disruptive attacks.
Mitigating and Protecting Against Layer 3 DDoS Attacks
There are several best practices and technologies organizations can implement to mitigate Layer 3 DDoS attacks.
IP blocklists
Maintain a list of known malicious IP addresses and use IP blocklists to block traffic from these sources. Conversely, consider IP allow lists to only allow traffic from trusted sources.
Traffic monitoring and rate limiting
Implement robust traffic monitoring and anomaly detection systems. By establishing a baseline of normal traffic behavior, you can quickly identify any deviations or anomalies to mitigate an attack.
Set up rate limiting on your network devices to restrict the number of requests from a single source within a specified timeframe. This can help prevent overwhelming your servers with excessive traffic.
Network redundancy and failover plans
Use load balancers and failover mechanisms that distribute traffic across different servers and cloud resources to help mitigate the impact of an attack and assist with continuity of service while IT teams investigate and respond.
Leverage Content Delivery Networks (CDNs) to distribute your website’s content across multiple servers and locations. CDNs can absorb and distribute traffic, minimizing the impact of DDoS attacks on a single server.
Software updates and patching vulnerabilities
Regularly update and patch all systems and software to prevent DDoS attacks that exploit vulnerabilities in outdated software.
Firewall rules
Set your firewall to detect and block incoming packets based on security policies around IP addresses and protocol states.
Cloud-based services
Consider migrating your services to cloud-based platforms that offer scalable infrastructure. Cloud providers often have DDoS protection mechanisms in place and can absorb large volumes of traffic. A hybrid setup – where you have cloud-based back-up of on-premises protection service– is another option.
DDoS protection
Traditional DDoS protection tools focus on mitigating threats at the network layer of the OSI model. However, they typically lack sophisticated analytics, threat intelligence, and modeling to protect against diverse and rapidly evolving attacks. Additionally, because DDoS attacks target Layer 3 through Layer 7 and multi-vector attacks are increasing, traditional anti-DDoS tools are not a complete solution. To avoid having another tool to manage and monitor, look for modern solutions that protect against the full breadth of DDoS attacks in a single solution.
Maximize Coverage with Advanced DDoS Protection
Many anti-DDoS solutions don’t detect and protect against the full gamut of DDoS attacks. This is why advanced DDoS protection solutions have emerged.
An advanced DDoS protection solution like SmartWall ONE™ leverages adaptive analytics, threat modeling, and anti-bot capabilities to stop frequent assaults and shifting tactics. It also requires little manual work and maintains uninterrupted service availability even in the midst of a DDoS attack. When coupled with AI-assisted threat intelligence that continually learns from new data and adapts in real time, the solution can also react instantly to protect against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations.
Adding application layer DDoS protection, Corero’s SmartWall ONE with CORE provides full spectrum DDoS protection, from Layer 3 through Layer 7. DDoS attacks are not just a network problem. They’re an application problem. Extending application security to include sophisticated application defense and Zero Trust admission control protects against a rise in DDoS attacks aimed at bringing down apps and your business. With less manual work and no operational sprawl, it’s also more cost-effective.
Conclusion
DDoS attacks come in various shapes and sizes and use multiple points of entry. Organizations need a purpose-built solution to protect against diverse and rapidly evolving DDoS attacks from the network edge to the application layer. They also need a solution to protect their organizations from complex, multi-vector attacks and other types of advanced threats that incorporate DDoS as a tactic.
Best practices and technologies like IP blocklists, traffic monitoring, rate limiting, network redundancy, failover plans, software updates, and firewalls can help with monitoring, blocking, and mitigation. Additionally, traditional anti-DDoS tools can be effective against Layer 3 attacks, but they aren’t a complete solution.
The most effective technology to thwart the full gamut of DDoS attacks (Layer 3 through Layer 7) as well as new DDoS challenges, is an advanced DDoS protection solution. When coupled with behavior analysis and intelligence, you’re able to stay ahead of emerging and evolving threats and defend against follow-on malicious activity including data breaches, ransomware attacks, and other threats to your operations. Organizations build resilience thanks to a breadth of coverage and zero operational lift and the ability to maintain uninterrupted service availability even during a DDoS attack.
Visit our threat intelligence research center for more information on DDoS defense in depth. Download our solution brief on our smarter approach to application protection.
