Types of DDoS Attacks: A Quick Guide from StormWall

Building a defense against DDoS attacks without understanding how they work is like treating an illness based only on symptoms—without knowing the actual diagnosis.

Experts agree: a “healthy” infrastructure starts with clearly identifying the type, intent, and mechanism of the threat.

In this article, we explore the most relevant types of DDoS attacks today, how to distinguish them, and why it’s crucial to understand different classification approaches.

Types of DDoS Attacks: A Quick Guide from StormWall

Most often, when describing different types of DDoS attacks, experts focus on three key factors:

  • which level of the network infrastructure is being targeted,
  • which protocols are used,
  • and how the intended disruption is achieved.

These parameters form the basis for the main classifications of DDoS attacks. Let’s take a closer look at each of them:

1. DDoS Classification by OSI Layers

In most cases, DDoS attacks are categorized according to the layers of the OSI (Open Systems Interconnection) reference model. This is one of the most fundamental and widely understood classifications among IT and cybersecurity professionals.

The OSI model divides all network devices and processes involved in data exchange between different network protocols into 7 layers—from L1 to L7. Each layer is described in great detail, making it easy to identify and distinguish. This allows specialists to quickly determine which part of the interaction a specific object, process, or network issue relates to.

Which OSI layers are affected by DDoS attacks?

1. Network Layer (L3)

At this layer, attackers aim to overwhelm communication channels and network equipment. These are typically high-volume DDoS attacks that can reach millions or even billions of packets per second.

Cybercriminals often use network-level attacks as a form of brute force—to deliver quick, disruptive strikes that can disable a victim’s infrastructure for extended periods. L3 attacks are also frequently used as a distraction tactic—a “smokescreen” to conceal other malicious activities.

Most common types of DDoS attacks at this level include:

  • ICMP Flood—sending massive numbers of ICMP requests to the target.
  • Smurf Attack—similar to an ICMP flood but amplified and using spoofed source addresses.
  • IP Fragmentation Flood—delivering large volumes of fragmented IP packets.

Also read: How to Protect Your Network from DDoS Attacks

2. Transport Layer (L4)

At the transport layer, the target is no longer just the network channel but specific services. Attackers aim to overload the TCP/UDP stack by generating thousands of “half-open” connections or streams of UDP packets.

L4 DDoS attacks are often directed at services like VPNs and VoIP platforms, where performance and stability heavily depend on the number of active sessions.

Examples of L4 DDoS attacks:

  • SYN Flood—floods the target with SYN packets, keeping TCP sessions open and consuming resources.
  • ACK Flood—similar to a SYN flood but using ACK packets to overwhelm the server.
  • RST Flood—floods the target with TCP RST (reset) packets.
  • TCP Session Exhaustion—consumes all available TCP sessions to deny access to legitimate users.
  • UDP Flood—sends a high volume of UDP packets to the victim’s ports, overwhelming the service.

3. Session Layer (L5)

While many session-related DDoS attacks are often attributed to either L4 or L7, in the OSI model, the responsibility for establishing, maintaining, and terminating connections lies with the session layer (L5). At this level, attackers aim not just to overload ports (as in L4), but to disrupt the logic of session management, meaning even low traffic volumes can result in serious consequences.

Examples of DDoS attacks targeting L5:

  • TLS/SSL Handshake Attack—exhausts server resources by repeatedly initiating resource-intensive secure connection handshakes.
  • PPPoE Session Flooding—overwhelms broadband access equipment (e.g., BRAS) by initiating a massive number of fake PPPoE sessions.
  • VoIP Session Hijacking or Termination—disrupts telephony services by injecting traffic to drop or spoof legitimate call sessions using session control protocols.

These attacks exploit the logic behind session handling, often flying under the radar of traditional filtering systems and causing significant disruption with relatively little malicious traffic.

4. Application Layer (L7)

At this level, attackers target applications directly—websites, APIs, or any interface that users interact with. These are the most difficult attacks to detect because they mimic the behavior of legitimate users. Businesses that rely heavily on their websites or apps for sales or customer interactions are particularly vulnerable. Often, L7 attacks are combined with L3/L4 floods to create a multi-vector threat.

Common L7 DDoS attack types include:

  • HTTP Flood—sending large volumes of HTTP requests to web pages to overwhelm the server.
  • Slowloris—the attacker sends incomplete HTTP requests to keep server connections open and exhaust resources.
  • DNS Flood—a high volume of DNS requests aimed at overloading DNS servers.
  • DNS Amplification and other amplification attacks—these exploit the nature of various application-layer protocols to send huge volumes of traffic using minimal attacker resources.

Why does understanding the attack level matter? Knowing which layer is under attack helps your team respond faster and more effectively. If the attack targets L3–L4, you’ll likely need your network engineer to step in—especially if the protection provider needs insights on router or firewall load. 

If it’s an L7 attack, your DevOps engineers or system administrators will be more helpful, as they usually handle WAF (Web Application Firewall) configurations and analyze app logs.

Also read: How to Protect Against L7 DDoS Attacks

2. DDoS Attack Types by Protocol

The protocol used in an attack directly influences the choice of protection strategy. Classifying DDoS attacks by protocol helps to finely tune filtering mechanisms and apply the most relevant security rules.

Here are common types of DDoS attacks based on specific protocol behaviors:

  • ICMP: ICMP Flood, Smurf Attack.
  • UDP: UDP Flood, DNS Amplification.
  • TCP: SYN Flood, RST Flood.
  • HTTP/HTTPS: HTTP GET/POST Flood, SSL Renegotiation Attack.
  • Other amplification attacks using network services like: NTP, SSDP, CLDAP, Memcached.

3. DDoS Classification by Impact Method 

This classification focuses not on the specific protocol or OSI layer, but rather on how the attack achieves its goal. It’s a common approach used by SOC analysts to simulate attack scenarios and recommend the most effective defense strategies.

For example, volumetric attacks are chosen when attackers have enough resources to generate a large amount of traffic, aiming to overwhelm the victim’s bandwidth. Protocol DDoS attacks exploit vulnerabilities in network protocols and can be effective even with relatively low traffic volumes. Application-layer attacks often use botnets to disrupt business logic or app functionality, affecting the user experience and service availability.

Examples of DDoS attacks by impact method:

  • Volumetric: UDP Flood, ICMP Flood.
  • Protocol-based: SYN Flood, Smurf Attack.
  • Application-layer: HTTP Flood, Slowloris, DNS Query Flood.

In practice, attackers are increasingly combining multiple methods, which has led to the rise of DDoS attacks that don’t fit neatly into traditional classifications. These include:

  • Probing DDoS attacks. Also known as “test runs”, these are low-intensity traffic spikes used to identify weaknesses in a target’s defenses. Attackers often carry them out before launching a full-scale attack, using the insights gained to maximize damage during the main strike.
  • Carpet bombing attacks. Rather than directing a large volume of traffic at a single target, attackers distribute the load across a range of IP addresses belonging to the same network or organization. This results in multiple, smaller disruptions that are difficult to trace and mitigate, yet the cumulative damage can be more severe than in traditional, single-vector attacks.
  • Multi-vector DDoS attacks. These involve simultaneous use of different attack types, such as a combination of L3/L4 floods and large-scale L7 application-layer attacks. This method overwhelms security systems and divides the attention of the incident response team—one vector distracts defenders while another delivers the main blow.

In recent years, such complex, hybrid DDoS attacks have become more common. This trend is supported both by our analytics and global cybersecurity statistics, pointing to a clear evolution of the threat landscape.

Summary

Every DDoS attack—like a disease—has its own cause and mode of operation. The key to effective protection lies in the ability to make a precise and comprehensive “diagnosis,” taking all relevant factors into account.

Understanding the nuances and overlaps between different classification models—OSI layer, protocol, and attack mechanism—enables you to fine-tune your defense strategiesThis is why it’s essential to ensure that your infrastructure is not only protected in a timely manner, but also effectively, with the support of highly qualified specialists and the most reliable anti-DDoS solutions.

DDoS Protection for Websites

  • Activate protection in 10 minutes
  • 24/7 technical support
Get a 10-day free trial