Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have become increasingly prevalent for many years, especially within the gaming industry. Both create disruptions for companies and individual users by disabling networks, websites, and services by sending a massive amount of traffic to servers.
Although often discussed interchangeably, DoS and DDoS attacks have distinct characteristics and impacts. Let’s break down the differences between these attacks, explain why they matter, and discuss how you can protect yourself or your organization from falling victim to these disruptions.
What is a Denial of Service (DoS) attack
A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DoS attacks achieve this by sending more requests than the server can handle, preventing legitimate requests from being fulfilled. This is done using a single computer and internet connection, making it simpler and less resource-intensive than other forms of cyber attacks.
Metaphorically speaking, this would be akin to deliberately causing a traffic jam.
The easiest form of a DoS attack is one that simply requests content from a site (i.e., a web page, a file, or a search request). This request will consume resources for both the person making it and the person(s) being attacked. In theory, if you have more resources than the service you are attacking, you could take the service down for the duration of the attack.
Some operations might be very resource-intensive on the targeted service but require little to no resources on the side of the attacker. If a service is unprepared, it becomes an easy target.
Most services, however, will limit the amount of resources spent on each visitor, preventing a single user from using up all its resources. The service might also block a user completely if their activity is deemed suspicious. In other cases, a service might prompt for a captcha, slowing down automated attacks.
What is a Distributed Denial of Service (DDoS) attack
A Distributed Denial of Service (DDoS) attack, similar to a DoS attack, aims to disrupt the normal functioning of a targeted server, service, or network. However, unlike DoS attacks, DDoS attacks utilize multiple compromised computer systems as sources of attack traffic.
Exploited machines can include computers and other networked resources such as IoT devices. DDoS attacks significantly increase the scale and impact of the assault, making them harder to stop and mitigate due to the multiple sources of incoming traffic.
Defending against a DDoS attack is more difficult. Instead of a single user with a single machine flooding a service with requests, there are thousands or even millions of machines (called botnets).
Botnets are a group of compromised devices that are connected to the internet, such as desktop computers, routers, or even security cameras. They are remotely controlled by a group of attackers, who often rent them out on an hourly basis for the sole purpose of DDoS Attacks.
Read more: 7 examples of the biggest DDoS attacks
Difference between DoS and DDoS attacks
The main difference is a DoS attack is launched by a single user from one computer, while a DDoS attack is larger in scale, using multiple devices.
| DoS | DDoS |
| Denial of Service | Distributed Denial of Service |
| Attack comes from one computer | Attack comes from a multi-device botnet |
| Can block by using a firewall | Can’t block with only a firewall |
| Easy to trace | Difficult to trace |
| No malware involvement | Uses devices infected by malware |
Common types of DoS and DDoS attacks
Ping of death
Also known as an Internet Control Message Protocol (ICMP) flood attack, a ping of death attack uses misconfigured network devices to send spoof packets to every computer on a targeted network. Because the spoof packets are not properly formatted, they will cause computers to crash after receiving them.
UDP flood
User Datagram Protocol (UDP) packets are like carrier pigeons. Normally, each pigeon carries a message addressed to someone in the neighborhood (or some port in the computer). However, in a UDP flood attack, the attacker sends a swarm of carrier pigeons (spoofed UDP packets) with messages to recipients who don’t exist. While attempting to handle the flood of spoofed packets, the target computer uses up all its resources, shutting down packets from legitimate users.
Ping flood
Similar to a UDP flood, a ping flood involves an attacker flooding a target computer with ICMP packets. The goal is to send ping packets as quickly as possible without waiting for a response. This then renders the target computer unreachable via brute force.
SYN flood
This involves attackers sending SYN requests to a targeted computer, which then replies with a SYN-ACK response. At this point, the computer expects an ACK response. However, in a SYN attack, no response is sent at all. The increasing pile of SYN messages ties up the resources on the computer, making it impossible for legitimate devices to establish a connection.
Slowloris
Named after the animal, slowloris is a hacking tool that sends incomplete HTTP requests to computers with no intention of actually completing them. The targeted computers will then keep connections open, thereby denying any legitimate incoming connection attempts.
HTTP flood
This is a high-volume attack that utilizes a flood of illegitimate HTTP requests, webpage resources, and POST requests sending web forms. Once again, the sheer number of these requests overloads the computer or web applications, making it inoperable. This is generally achieved by using internet-connected devices that have been hijacked with the aid of malware or bots.
Zero-day attack
A zero-day attack occurs when hackers or malicious actors are able to exploit a critical security flaw before it can be rectified by a software developer. In other words, attackers seek to take advantage of vulnerabilities that have not been discovered yet.
Teardrop attack
A teardrop attack works by gradually sending data fragments to a target network. Once sent, an attempt is made to recompile the data fragments into their original state. If successful, the target system is overwhelmed by the recompiling process and eventually crashes.
How to prevent DoS and DDoS attacks
As with most things in cybersecurity, the best approach is to use a combination of proactive and reactive measures. Some planning, some defensive technologies, and proactive monitoring will give you the best chance of suffering the least amount of damage. Let’s go through the main things to consider.
For individuals: Use a VPN
A VPN download is the easiest solution for a home or small network. A VPN protects you by putting a server between you and the attacker. Because you are given a different IP address, it’s harder for someone to target you specifically—and yes, DoS or DDoS attacks tend to be directed toward a specific person or company.
For companies:
Robust network architecture
Design your network with redundancy and resilience in mind. Use multiple, geographically dispersed servers, load balancers, and failover systems to distribute traffic evenly and maintain service continuity even under attack.
Anti-DDoS hardware and software
Implement anti-DDoS hardware solutions and software that can detect abnormal traffic flows and filter out malicious traffic. These tools often include rate limiting, traffic shaping, and deep packet inspection to help mitigate attack impacts. These might not be feasible for you if you have a small infrastructure budget, but provide solid protection.
Upgrade bandwidth
While not a stand-alone solution, having more bandwidth than you typically need can absorb higher traffic volumes during an attack. This is not foolproof but can be helpful when combined with other defensive strategies.
Response plan
Have a response plan in place that includes procedures for identifying, mitigating, and recovering from attacks. Ensure that all team members know their roles in this plan so you can react quickly and disrupt your users as little as possible.
Secure configuration
Ensure that all networked devices are securely configured to minimize vulnerabilities. This mostly includes regularly updating and patching systems to fix security holes that could be exploited by attackers, but also carefully monitoring your configurations regularly and also after every update.
Cloud-based DDoS protection services
Leverage cloud-based DDoS protection services that can absorb and scrub large-scale attack traffic away from your network. These services can scale dynamically to handle unexpected surges in traffic and deal with attacks constantly, so they’re extremely prepared for this. One such service is Cloudflare, but there are many others.
Education and awareness
Educate your staff about the risks and signs of DoS and DDoS attacks. Regular training and awareness programs can help prevent accidental behaviors that might lead to vulnerabilities, and will also help you identify an attack quickly.
Simulate DoS attacks
You know what they say: Practice makes perfect! Running simulations can be a great way to train your staff how to recognize all the signs of a DoS as they happen, and further safeguard your systems from external threats.
Why do DoS and DDoS attacks occur?
Ransom
DoS or DDoS ransom attacks involve inundating a target’s system or website with requests to render them inaccessible. Once compromised, an attacker will demand a ransom to lift the attack. There is, however, no guarantee that everything will go back to normal once a ransom is paid.
Revenge
A current or former employee may be harboring a grudge against you and has undertaken a DoS/DDoS attack to exact revenge.
Competition
Competitors in your market may resort to unethical tactics in an attempt to steer potential consumers away from your business—and this might mean making your website or service inaccessible via a DoS/DDoS attack.
Hacktivism
A portmanteau of hack and activism, hacktivism is the use of technology as a form of protest. In this context, attackers may disagree with you for corporate or political reasons. Hacktivism is usually directed towards governments or large corporations.
Read more: Is this attack a hack… or hacktivism?
Pranks
DoS/DDoS attacks are easy to execute and can sometimes be performed purely for the amusement of the attackers.
Nation-state funded DDoS attacks
When carried out by well-funded actors, such as nation-states, DDoS attacks become almost impossible to defend against due to the scope of the attack. DDoS Attacks pose a serious threat to the freedom of speech online, as they are done in extrajudicial secrecy and without accountability.
For example, China has in the past repurposed its Great Firewall to initiate DDoS attacks against Github for hosting mirrors of newspaper articles. British spy agency GCHQ is also reported to have used DDoS attacks as retaliation against hacker groups Anonymous and LulzSec. These high-level types of attacks are referred to as “Advanced Persistent DoS Attacks.”
DDoS Attacks can be executed for a variety of reasons. Sometimes their goal is purely political or an act of vengeance against a previous attack. Attacks can also be carried out for business reasons, for example, to “convince” the customers of a competitor to switch products.
A large and efficient DDoS attack can be expensive, so damage is often limited to just a few hours or days of outage, as the perpetrator cannot afford to sustain it any longer. Still, for a business, even this short time can have serious commercial implications.
Many attackers will use a DDoS attack for the purpose of extortion. Initially, a small attack is launched against a target, followed by a request for ransom. If the target does not pay, a larger DDoS Attack usually follows, sometimes followed by another ransom request.
Paying the ransom, in this case, is not wise. Other attacks will soon follow (as everyone knows it will pay out). There are many potential attackers out there, so the promise of one group to “not attack” again is meaningless. Investing the capital in DDoS protection is much wiser.
Read more: What is ransomware, and how to prevent it?
Email bomb DoS attacks
DoS attacks can also be launched against those who do not operate a web service. For example, your email inbox can be the target of what is called an email bomb.
During an email bomb attack, a user will receive a large number of e-mails, some with massive attachments, others designed to trigger alerts on the user’s system. If the system, particularly the spam filter, is poorly configured, this can crash the email server or the client (e.g., Outlook) used to read the email. For the duration of the attack (and possibly longer), the e-mail service will be disrupted. It’s possible that all emails received during the attack are lost, or will take a long time to filter through to the user.
But DDoS attacks don’t just hit computers—they can make any online device unusable. One possible method to achieve this involves a fake online ad taken out in the name of the victim, for example for an absurdly cheap car in a big city. The resulting flood of emails and phone calls can be of great inconvenience to the victim. And as they are all non-automated messages from real people, they are very hard to defend against or block.
In extreme situations, getting a new email address or phone number can be the best choice for the victim. A well-configured and popular email provider, such as Google or Apple, will go a long way in defending against attacks, however.
FAQ: DoS and DDoS attacks
Can you accidentally DDoS someone?
In emergency situations, when many people are trying to access a particular resource online, the sheer number of data requests may hinder access to said service. Think of those times where you’ve tried to buy something and the website crashes.
That said, this isn’t accidental as much as it is unintended. Accidental instances of DoS or DDoS attacks can sometimes be attributed to incorrectly configured router devices.
Is it illegal to DDoS attack a website?
It is absolutely illegal to conduct DoS or DDoS attacks in any capacity. Most countries have laws that prohibit these attacks from being carried out and carry heavy penalties that range from fines to imprisonment.
How do DDoS and DrDoS attacks differ?
A distributed reflection denial-of-service (DrDos) attack is a type of DDoS attack that uses multiple third-party victim machines. In this scenario, the victim machines are used to hide the identity of the attacker—hence the “reflection.”
How can I detect a DDoS attack?
You can use DDoS detection software. Since a DDoS attack includes a large surge in traffic, one of the techniques used by the software is to compare your average traffic with your current one. Then, a DDoS defense system will sample traffic from your network and compare its behavior with strategies that DDoS attacks use. If it’s a positive match, the DDoS protocol is triggered so it can be mitigated quickly.
Can I use a CDN to protect my network against DDoS attacks?
Yes. A CDN (Content Delivery Network) stores copies of your resources (website content, videos, images, etc.) in several different data centers around the world. This has benefits for the user, as they can receive the content from a server that’s physically closer to them, and also benefits the website because, in the event of an attack, it would be directed to the CDN, which can handle high loads much better.
Can I trace a DDoS attack?
Not easily. Unlike DoS attacks, the distributed nature of DDoS attacks means that harmful traffic is coming from several different places. DDoS attacks work by using a network of “zombie” computers, or botnets. Even if you can find one source of repeated requests and you block it, there could potentially be thousands of other sources, meaning that tracing the attack is in itself not only difficult, but with little if any benefit.
Comments
Just to know to help people from bad hurckers
I wish I could take this all in I do believe I have email attackers an wish they’d leave me alone I am poor an not so smart . Please someone help me understand.
Very interesting article. There is a lot of knowledge out there that help us people that do minimum work on computers. Lone users like me who use computers for banking or shopping do not spend our lives on the computer have difficulty getting information about these things. We just float along with the stream and hope for the best.