DDactic - Protocol Stack Visualization

L7Application
Application Layer
~30 attack vectors
Client Side
            Browser
            Bot / Script
            Mobile App
          

            REST
            GraphQL
            gRPC
            WebSocket
          

            Client sends HTTP requests using standard methods (GET, POST, PUT, DELETE).
            Each protocol has unique attack characteristics.
          
Request / Response

            HTTP Request/Response
          
Server Side
            nginx
            Apache
            Node.js
          

            On-prem WAF
            F5 ASM
            Imperva
          

            Server processes requests through WAF rules, load balancing, and application logic.
            On-prem devices operate here, but depend on lower layers.
          

            HTTP/1.1 1 request per connection
          

            Connection model: One request at a time per TCP connection. Keep-alive allows reuse, but no multiplexing.
            Requires many connections for high concurrency.
          

            Attacks
            Slowloris
            Slow POST (R.U.D.Y.)
            Slow Read
            GET Flood
            POST Flood
            Cache Bypass
          

            H1 attacks exploit the 1-connection-per-request model. Slowloris is H1-only because H2/H3 multiplex streams on a single connection, making partial-header stalling irrelevant.
          

            HTTP/2 multiplexed streams on 1 connection
          

            Connection model: Single TCP connection carries many concurrent streams.
            Stream creation and reset are cheap operations, handled by the framing layer.
          

            Attacks
            Rapid Reset (CVE-2023-44487)
            CONTINUATION Flood (CVE-2024-27316)
            PING Flood
            SETTINGS Abuse
            Empty Frames
          

            Rapid Reset is devastating: 1 connection generates 1M+ req/s via stream create/reset cycles. Traditional connection-counting defenses are useless because the attack uses a single TCP connection.
          

            HTTP/3 QUIC (UDP) + independent streams
          

            Connection model: QUIC connection over UDP. Streams are independent (no head-of-line blocking).
            TLS 1.3 is built into the transport. Connection migration via Connection IDs.
          

            Attacks
            Initial Flood
            CID Exhaustion
            0-RTT Replay
            ACK Manipulation
            Version Negotiation Amplification
            Migration Abuse
          

            H3 is UDP-based, so TCP-focused mitigations (SYN cookies, connection tracking) do not apply. L4 firewalls that only inspect TCP traffic will pass H3/QUIC unfiltered.
          
APPLICATION PROTOCOLS
REST API
HTTP (any version)

                HTTP Flood
                Query Abuse
              
GraphQL
POST /graphql

                Nested Query
                Batch Abuse
              
gRPC
Requires H2 (ALPN h2)

                Stream Exhaustion
                Payload Bomb
              
WebSocket
HTTP Upgrade, then WS framing

                Connection Flood
                Frame Flood
              
SIP
UDP:5060 / TCP:5060

                INVITE Flood
                REGISTER Flood
              
SMTP
TCP:25 / TCP:587

                RCPT TO Flood
              
L5/6Session / TLS
TLS Handshake + QUIC
4 attack vectors
Client Side
            TLS 1.2 Client
            TLS 1.3 Client
          

            Sends ClientHello with cipher suites, extensions, supported groups.
            Each client produces a unique JA3/JA4 fingerprint based on TLS parameters.
          

            JA3 hash
            JA4 fingerprint
          
Key ExchangeClientHello--->
<---ServerHello + Cert
Key Exchange--->
<---Finished
Server Side
            TLS Termination
            Certificate
          

            On-prem: F5 SSL Offload
            CDN: Edge Termination
          

            TLS termination can happen at the CDN edge (reducing origin load) or on-prem (F5, load balancer).
            On-prem SSL offload adds latency and CPU cost per handshake.
          

          Attacks targeting TLS
          TLS Exhaustion
          SSL Renegotiation (TLS 1.2 only)
          Malformed Record Flood
          QUIC Crypto Flood
        

          TLS 1.2 allows RSA key exchange (no forward secrecy). TLS 1.3 requires ECDHE (forward secrecy mandatory).
          HTTP/2 requires TLS (ALPN negotiation). SSL renegotiation attacks only work on TLS 1.2, as TLS 1.3 removed renegotiation entirely.
        
L4Transport
TCP + UDP Transport
~25 attack vectors
Client Side
            TCP: Connection-oriented
            UDP: Fire-and-forget
          

            TCP: Three-way handshake (SYN, SYN-ACK, ACK). Reliable, ordered delivery.
            UDP: No handshake, no connection state. Enables source IP spoofing.
          
TCP HandshakeSYN--->
<---SYN-ACK
ACK--->
UDP

              No handshake - spoofable
            
Server Side
            Connection Table
            SYN Cookies
          

            On-prem Load Balancer
            Connection Limit
          

            Server maintains a connection table for TCP. Each half-open SYN consumes a table entry.
            On-prem load balancers track connections but are limited by upstream bandwidth.
          

          TCP Attacks
          SYN Flood
          ACK Flood
          FIN/RST Flood
          Sockstress
          Connection Flood
          Flag Manipulation
        

          UDP Attacks (including amplification)
          UDP Flood
          DNS Amplificationx54
          NTP Amplificationx556
          Memcachedx51000
          SLP Amplificationx2200
          CLDAP Amplificationx55
          SSDP Amplificationx30
          CharGENx358
        

          UDP amplification attacks use third-party reflectors. The attacker sends a small query with the victim's spoofed IP. The reflector sends a much larger response to the victim. Memcached amplification can reach 51,000x, turning 1 Mbps of attacker bandwidth into 51 Gbps of attack traffic.
        
L3Network
IP Network Layer
~12 attack vectors
Client / Attacker
            Source IP (spoofable on UDP)
          

            VPS
            Residential Proxy
            Mobile
            IoT Botnet
          

            IP spoofing is trivial on UDP and some raw-socket-capable hosts.
            TCP spoofing is impractical (needs sequence number prediction).
            Botnets provide real, non-spoofed distributed IPs.
          
IP Packets

            Raw IP datagrams
          
Server Side
            ISP Pipe
            Capacity: 10G / 40G / 100G
          

            Scrubbing Center (BGP divert)
            ACL / Null Route
          

            The ISP pipe is the physical bandwidth limit. No on-prem device can process traffic that never arrives because the pipe is full. Scrubbing centers absorb volumetric attacks via BGP diversion before traffic reaches the pipe.
          

          L3 Attacks
          ICMP Flood (Ping)
          IP Fragmentation
          GRE Flood
          ESP Flood
          IPIP Flood
          MPLS Flood
          ICMP Redirect
          Smurf
          Teardrop
          Land
          Ping of Death
          IP Options Abuse
        

          L3/L4 volumetric attacks saturate the physical pipe. No device behind the pipe can help, regardless of its rated capacity. This is why upstream scrubbing (BGP-based) or CDN absorption is essential for volumetric defense.
        

Without Upstream Protection

Attack Traffic

50 Gbps

UDP Flood + Amplification

|all traffic enters pipe

ISP Pipe

Capacity: 10 Gbps

0% utilized

|traffic passes through

On-Prem Device

F5 BIG-IP i15800

Capacity: 400 Gbps

Origin Server

Application

Online

With Upstream Protection

SCRUBBING CENTER (L3/L4)

Attack Traffic

50 Gbps

|BGP divert to scrubbing

Scrubbing Center

Absorbs 49.5 Gbps

Capacity: 10+ Tbps

|only clean traffic (0.5 Gbps)

ISP Pipe (10G)

5% utilized

F5 BIG-IP

0.1% load

HEALTHY

Origin

HEALTHY

Scrubbing Center: Absorbs L3/L4 volumetric traffic via BGP rerouting. Handles UDP floods, SYN floods, amplification attacks.

CDN (Cloudflare, Akamai): Filters L7 application-layer attacks (HTTP floods, Slowloris, Rapid Reset). Also provides some L3/L4 protection via anycast absorption.

Key point: CDN alone cannot stop large-scale L3/L4 volumetric floods that bypass HTTP entirely. A 50 Gbps UDP flood hits the pipe regardless of CDN configuration. Multi-layer defense (scrubbing + CDN + on-prem WAF) is the correct architecture.

HTTP/1.1

L4TCP

TLSTLS 1.2 / 1.3

L7HTTP/1.1

1000

connections = 1000 concurrent requests

1 request per connection at a time.
Keep-alive reuses connections but no multiplexing.
High concurrency = many TCP connections.

Plain text headers No server push No stream priority

Vulnerable to

Slowloris

Holds connections open with partial headers. H1-only because H2/H3 multiplex on a single connection.

Slow POST (R.U.D.Y.)

Sends body one byte at a time. Effective because H1 ties connection to single request.

Slow Read

Tiny TCP window forces server to buffer response.

GET/POST Flood

Works on all versions but H1 needs more connections for same RPS.

IMMUNE TO

Rapid Reset CONTINUATION Flood H2 Stream Abuse QUIC Initial Flood

HTTP/2

L4TCP

TLSTLS 1.2+ (ALPN h2)

L7HTTP/2 (binary framing)

connection = 100 concurrent streams

Multiplexed streams on a single TCP connection.
Binary framing, header compression (HPACK).
Stream create/reset is near-zero cost to client.

Binary framing HPACK compression Server push TCP HOL blocking

Vulnerable to

Rapid Reset CVE-2023-44487

Create stream + immediate RST_STREAM. Server allocates resources, client cancels. 1 connection = 1M+ req/s. Devastated Google, Cloudflare, AWS in 2023.

CONTINUATION Flood CVE-2024-27316

CONTINUATION frames without END_HEADERS. Server must buffer unlimited header data. Memory exhaustion.

PING Flood

Server must respond to every PING with PONG. CPU exhaustion.

SETTINGS Abuse

Rapidly change connection settings, forcing server re-configuration.

GET/POST Flood

Standard floods are more efficient on H2 because fewer connections needed.

IMMUNE TO

Slowloris Slow POST QUIC Initial Flood

HTTP/3

L4UDP (not TCP)

TLSTLS 1.3 (built into QUIC)

L7HTTP/3 (QUIC streams)

connection = independent streams (no HOL)

QUIC over UDP. TLS 1.3 integrated into transport.
No TCP head-of-line blocking. 0-RTT resumption.
Connection migration via Connection IDs.

QUIC transport QPACK compression 0-RTT CID migration

Vulnerable to

QUIC Initial Flood

Flood Initial packets. Server must perform TLS 1.3 crypto to validate. UDP source easily spoofed.

CID Exhaustion

Exhaust Connection ID allocation with many short connections.

0-RTT Replay

Replay captured 0-RTT early data. No built-in replay protection for 0-RTT.

Version Negotiation Amplification

Trigger QUIC version negotiation responses from server, amplifying traffic.

GET/POST Flood

Application-layer floods work regardless of transport.

IMMUNE TO

Slowloris SYN Flood TCP RST/FIN Flood Rapid Reset

Attack	HTTP/1.1	HTTP/2	HTTP/3	Key Insight
Slowloris	Vulnerable	Immune	Immune	Multiplexing eliminates single-request blocking
Slow POST	Vulnerable	Immune	Immune	Streams independent from connection lifecycle
Rapid Reset	Immune	Vulnerable	Immune	H2-specific: binary framing stream reset is free for client
CONTINUATION Flood	Immune	Vulnerable	Immune	H2 HPACK header handling has no size limit enforcement
QUIC Initial Flood	Immune	Immune	Vulnerable	UDP-based, TCP firewalls do not see it
0-RTT Replay	Immune	Immune	Vulnerable	0-RTT has no replay protection by design
SYN Flood	Vulnerable	Vulnerable	Immune	H3 uses UDP, no TCP handshake
GET/POST Flood	All	All	All	Application-layer flood works on any transport
TLS Exhaustion	Vulnerable	Vulnerable	Vulnerable	All versions require TLS handshake with server crypto cost

Attack Surface Heat Map

Number of known attack vectors per protocol layer

L3 Network

Volumetric

L4 TCP

High

L4 UDP + Amplification

Critical

TLS / QUIC Handshake

Moderate

HTTP/1.1

Moderate

HTTP/2

High (CVE)

HTTP/3 / QUIC

Emerging

App Protocols (GraphQL, gRPC, WS)

Varies

Non-HTTP (SIP, SMTP, SSH, MQTT)

Niche

86+ total known DDoS attack vectors across all layers

L3/L4 attacks saturate bandwidth before traffic reaches any application-layer device. No WAF, regardless of capacity, can mitigate an attack it never receives.

L7 attacks bypass volumetric detection by using legitimate-looking requests. Rate limiting, behavioral analysis, and challenge-response are required.

Protocol-specific attacks (Rapid Reset, QUIC Initial) require version-aware mitigation. A generic WAF rule cannot detect H2 stream abuse or QUIC crypto floods.