Technology Encyclopedia Home >Step-by-Step: Setting Up Multi-Layer DDoS Protection (L3 + L4 + L7) for Production Workloads

Step-by-Step: Setting Up Multi-Layer DDoS Protection (L3 + L4 + L7) for Production Workloads

Created on 2026-04-01 15:23:01
7

Summary: Modern DDoS attacks hit multiple layers simultaneously—volumetric floods at L3, protocol attacks at L4, and application attacks at L7. Single-layer protection leaves gaps. This step-by-step guide walks you through configuring comprehensive multi-layer DDoS protection for production workloads using edge security platforms.

Tencent Cloud EdgeOne Product Introduction

The multi-layer threat:

Modern attackers don't use just one attack vector. They combine:

  • L3 (Network): Volumetric floods (UDP, ICMP) to saturate bandwidth
  • L4 (Transport): Protocol attacks (SYN flood, ACK flood) to exhaust connections
  • L7 (Application): HTTP floods and slowloris to exhaust application resources

If you only protect one layer, attackers target the unprotected layers.

This guide walks you through configuring comprehensive multi-layer DDoS protection—covering all three layers from a single edge platform.

Understanding the Three Layers

Layer 3: Network Layer Protection

What it defends against:

  • UDP floods (massive bandwidth consumption)
  • ICMP floods (ping floods)
  • IP fragmentation attacks
  • Amplification attacks (DNS, NTP, CLDAP, Memcached)

Key metrics:

  • Attack volume: 100 Gbps to 5+ Tbps
  • Required capacity: 25+ Tbps per region
  • Mitigation time: < 10 seconds

Layer 4: Transport Layer Protection

What it defends against:

  • SYN floods (connection table exhaustion)
  • ACK floods (server resource exhaustion)
  • RST floods (connection disruption)
  • Connection exhaustion attacks
  • Protocol anomaly attacks

Key metrics:

  • Attack volume: 1-100M packets per second
  • Required capacity: Billions of PPS
  • Mitigation time: < 30 seconds

Layer 7: Application Layer Protection

What it defends against:

  • HTTP floods (high-rate legitimate-looking requests)
  • Slowloris (keeping connections open with slow data)
  • RUDY (R-U-Dead-Yet, slow POST attacks)
  • Application-specific attacks
  • CC attacks (Challenge Collapsar)

Key metrics:

  • Attack volume: 10K-10M requests per second
  • Detection complexity: High (looks like legitimate traffic)
  • Mitigation time: < 60 seconds

Step-by-Step Configuration

Step 1: Enable L3 Network Protection (15 minutes)

1.1 Configure IP Allowlist/Blocklist

Create lists for known-good and known-bad IPs:

  • Allowlist: Your office IPs, monitoring services, payment gateways
  • Blocklist: Known attacker IPs, high-risk countries (if applicable)

1.2 Configure Protocol Filtering

Block protocols your application doesn't use:

  • If web application: Allow TCP 80/443 only
  • If game server: Allow specific UDP ports
  • Block everything else (reduces attack surface by 60-70%)

1.3 Configure Amplification Protection

Enable automatic blocking of common amplification vectors:

  • DNS amplification protection (port 53 spoofing)
  • NTP amplification protection (port 123 spoofing)
  • CLDAP amplification protection (port 389 spoofing)
  • Memcached amplification protection (port 11211 spoofing)

1.4 Set Scrubbing Thresholds

Configure when automatic scrubbing engages:

  • Threshold: 2x normal traffic volume
  • Action: Engage scrubbing automatically
  • Duration: Continue until attack subsides + 5 minutes

Step 2: Enable L4 Transport Protection (20 minutes)

2.1 Configure SYN Protection

SYN Protection Settings:
- Mode: Automatic
- Threshold: 10,000 SYN packets/second (adjust based on normal traffic)
- Action: SYN cookie validation
- Alert: Notify when threshold exceeded

2.2 Configure Connection Rate Limiting

Connection Rate Limits:
- Max new connections per IP: 100/second
- Max concurrent connections per IP: 500
- Connection timeout: 30 seconds
- Half-open connection limit: 10,000

2.3 Configure Protocol Validation

Protocol Validation:
- TCP flag validation: Enabled
- Fragment reassembly: Enabled
- TTL validation: Enabled (block TTL < 5)
- Packet size limits: Min 64 bytes, Max 9000 bytes

2.4 Configure Geographic Filtering (Optional)

If your business serves specific regions:

Geographic Rules:
- Allow: US, CA, GB, DE, FR, JP, AU, ...
- Challenge: Regions with high attack history
- Block: Regions you don't serve (reduces attack surface)

Step 3: Enable L7 Application Protection (30 minutes)

3.1 Configure HTTP Rate Limiting

Rate Limiting Rules:
- Global: 10,000 requests/second (adjust to 2-3x normal peak)
- Per IP: 100 requests/second
- Per URL (/login): 10 requests/minute per IP
- Per URL (/checkout): 20 requests/minute per IP
- Per URL (/api/*): 50 requests/minute per IP

3.2 Configure WAF Rules

WAF Configuration:
- OWASP Core Rule Set: Enabled
- SQL Injection: Block
- XSS: Block
- Command Injection: Block
- Path Traversal: Block
- File Inclusion: Block
- Mode: Block (after testing in Monitor mode)

3.3 Configure Bot Management

Bot Management:
- Known good bots (Google, Bing): Allow
- Known bad bots: Block
- Unknown bots: Challenge
- Challenge type: CAPTCHA-less (JavaScript challenge)
- Bot score threshold: < 30 = Block, 30-70 = Challenge, > 70 = Allow

3.4 Configure Slowloris/Slow POST Protection

Slow Attack Protection:
- Request header timeout: 10 seconds
- Request body timeout: 30 seconds
- Minimum data rate: 100 bytes/second
- Max request header size: 32 KB
- Max request body size: 10 MB (adjust for your application)

3.5 Configure Challenge Pages

Challenge Configuration:
- Challenge type: JavaScript challenge (CAPTCHA-less)
- Challenge duration: 30 minutes (after passing, user is trusted)
- Challenge triggers: Bot score < 50, rate limit exceeded, geographic risk

Step 4: Configure Monitoring and Alerting (15 minutes)

4.1 Set Up Alert Rules

Alert Configuration:
- L3 attack detected (> 1 Gbps): Email + Slack immediately
- L4 attack detected (> 10K SYN/s): Email + Slack immediately
- L7 attack detected (> 5x normal traffic): Email + Slack immediately
- False positive rate > 1%: Email daily summary

4.2 Configure Dashboard

Create unified dashboard showing:

  • Traffic volume (clean vs attack)
  • Attack events timeline
  • Protection layer status (L3/L4/L7)
  • Top attacking IPs
  • Geographic distribution of attacks
  • False positive monitoring

Step 5: Test Your Configuration (60 minutes)

5.1 L3 Test

  • Simulate volumetric traffic from testing tools
  • Verify scrubbing engages automatically
  • Verify legitimate traffic unaffected

5.2 L4 Test

  • Simulate SYN flood with testing tools
  • Verify SYN cookie protection works
  • Verify connection rate limits enforce correctly

5.3 L7 Test

  • Simulate HTTP flood
  • Verify rate limiting triggers
  • Verify WAF blocks attack patterns
  • Verify bot management challenges suspicious traffic

5.4 Multi-Layer Test

  • Simulate simultaneous L3 + L4 + L7 attack
  • Verify all layers protect simultaneously
  • Verify no false positives during multi-layer attack

Production Configuration Best Practices

Tuning for Your Application

Web Application:

L3: Standard volumetric protection
L4: SYN protection + connection limits
L7: Rate limiting + WAF + Bot management
Focus: L7 protection (most attacks target application layer)

API Service:

L3: Standard volumetric protection
L4: SYN protection + connection limits
L7: Per-endpoint rate limiting + API validation + Bot management
Focus: Per-endpoint rate limiting (protect expensive API calls)

Game Server:

L3: Enhanced volumetric protection (games attract more L3)
L4: TCP + UDP protection + game protocol validation
L7: Login protection + bot management
Focus: L3/L4 protection (game traffic is L4-heavy)

Monitoring and Maintenance

Daily:

  • Review attack summary (if any)
  • Check false positive rate
  • Verify all protection layers active

Weekly:

  • Review top attacking IPs
  • Update blocklists if needed
  • Tune rate limits based on traffic patterns

Monthly:

  • Review protection effectiveness
  • Update WAF rules
  • Review and update alerting thresholds
  • Generate compliance reports

Real-World Results

Case Study: Ecommerce Platform

Before (L7 Only):

  • L3 attack: Overwhelmed network (2 hours downtime)
  • L4 attack: Exhausted connections (1 hour downtime)
  • L7 attack: Blocked by WAF (0 downtime)

After (L3 + L4 + L7):

  • L3 attack: Blocked at edge (0 downtime)
  • L4 attack: Blocked by SYN protection (0 downtime)
  • L7 attack: Blocked by WAF + bot management (0 downtime)
  • Multi-layer attack: All layers protected simultaneously (0 downtime)

Improvement: 3+ hours downtime/month → 0 downtime

Common Mistakes to Avoid

Mistake 1: Only Protecting L7
L3/L4 attacks can overwhelm your infrastructure before L7 protection is even relevant.

Mistake 2: Rate Limits Too Aggressive
Start with 3x normal peak traffic and tune down based on data.

Mistake 3: Not Testing Multi-Layer Attacks
Attackers combine layers. Test combined attacks, not just individual layers.

Mistake 4: Forgetting About Monitoring
Protection without monitoring is blind. Set up dashboards and alerts.

Mistake 5: Static Configuration
Attack patterns evolve. Review and update configuration monthly.

Take Action Today

Single-layer protection leaves gaps. Multi-layer DDoS protection at L3 + L4 + L7 covers all attack vectors.

Get Started in 3 Steps:

  1. Choose Edge Platform — Look for integrated L3/L4/L7 protection
  2. Follow This Guide — Configure each layer step-by-step
  3. Test and Monitor — Verify protection works, monitor ongoing

Pricing Plans

Plan Best For Specifications Original Price Promo Price
Free Personal Developers, MVP Teams Basic protection & static acceleration —— $0/month
Personal Early-Stage Businesses 50GB + 3M requests | CDN + Security $4.2/month $0.9/month
Basic Growing Businesses 500GB + 20M requests | OWASP TOP 10 $57/month $32/month
Standard Enterprise Businesses 3TB + 50M requests | WAF + Bot Management $590/month $299/month

Set Up Multi-Layer Protection Today

Get Started with Tencent Cloud EdgeOne

View Current Promotions & Discounts

Don't leave gaps in your defense. Multi-layer L3+L4+L7 protection stops all DDoS attack vectors. Try it free today.