Layer 4 DDoS Protection — Network and Transport Layer Defense

Layer 4 attacks exploit the fundamental mechanisms of TCP and UDP networking. SYN floods send millions of TCP connection initiation packets without completing the handshake, exhausting your server's connection table. ACK floods send packets that appear to belong to existing connections, forcing your server to waste resources looking up non-existent sessions.

UDP-based attacks are even more diverse. DNS amplification uses open resolvers to generate massive response floods directed at your IP. NTP amplification exploits the monlist command to achieve 500x traffic amplification. Memcached reflection can generate responses 50,000x larger than the request, enabling terabit-scale attacks from just a handful of source machines.

Fragment attacks send incomplete IP packets that your server must hold in memory while waiting for the remaining fragments — fragments that never arrive. RST floods, FIN floods, and various combinations of TCP flag attacks round out the Layer 4 threat landscape. Effective protection must handle all of these vectors simultaneously.

Software-based DDoS filtering cannot keep pace with modern Layer 4 attacks that generate hundreds of millions of packets per second. AnubizHost deploys FPGA-based (Field-Programmable Gate Array) packet processing hardware that operates at wire speed, inspecting and classifying every packet in real time without introducing queuing delays.

The FPGA filters apply thousands of rules simultaneously, checking each packet against known attack signatures, spoofed source address lists, protocol compliance checks, and rate limits. Packets that match attack characteristics are dropped in hardware before they enter the server's network stack, consuming zero server-side resources.

This hardware acceleration is critical for Layer 4 protection because the attacks operate at the packet level. A 100Gbps SYN flood might consist of 150 million packets per second, each of which must be individually inspected and classified. Software running on general-purpose CPUs simply cannot process packets at this rate, but dedicated hardware handles it effortlessly.

Beyond simple packet filtering, effective Layer 4 protection requires stateful connection tracking. This means maintaining a table of legitimate TCP connections and using it to distinguish between valid traffic and attack traffic that spoofs connection state.

AnubizHost mitigation systems implement SYN cookies for efficient handling of TCP connection initiation. Instead of allocating memory for each incoming SYN packet (which is exactly what SYN floods exploit), our system encodes connection state in the SYN-ACK response. Only connections that complete the three-way handshake with a valid cookie are admitted to the connection table. This approach handles millions of incoming SYN packets per second without exhausting memory.

For established connections, our stateful tracking verifies that each packet belongs to a legitimate session. Out-of-sequence packets, packets with invalid flags, and packets that do not match any tracked connection are dropped. This prevents ACK floods, RST floods, and other attacks that attempt to inject packets into the network stack by guessing connection parameters.

Layer 4 DDoS protection is active on every AnubizHost server from the moment of deployment. There is no configuration required, no software to install, and no mitigation tier to select. The hardware-accelerated filtering processes all traffic to your server's IP address, whether it is TCP, UDP, ICMP, or any other protocol.

The protection works transparently with any application. Web servers, game servers, VPN endpoints, mail servers, database servers, and custom applications all benefit equally. Because the filtering operates below the application layer, it does not matter what software your server runs or what protocols your application uses.

For customers who run services on non-standard ports or use uncommon protocols, our Layer 4 filtering handles all IP protocols and all port numbers. The system does not assume that legitimate traffic only uses common ports — it filters based on packet characteristics and behavior, not port numbers. This ensures comprehensive protection even for specialized applications.