Dos Vs. DDoS Attacks: What are the Differences?

For any online business today, few threats raise higher stakes than distributed denial of service (DDoS) attacks. By flooding websites and infrastructure with bogus traffic, DDoS attacks can cripple operations, causing extensive revenue and reputation damage.

As data flows increasingly across enterprise networks and systems, so too does the risk of DDoS and related cyber attacks. While there are many forms of cyberthreats, DDoS and Denial of Service (DoS) attacks function differently in scale and execution while sharing similar aims.

In this comprehensive guide, we’ll demystify these two powerful types of cyber assaults to help inform protection efforts.

What is a Denial of Service (DoS) Attack?

A Denial of Service (DoS) attack aims to make an online service or website unavailable to legitimate users by overloading it with illegitimate traffic.

DoS assaults typically originate from one computer or internet connection. The attacker sends a continuous flood of bogus requests to the target site or server until it crashes or its connection bandwidth reaches exhaustion. With vital resources overwhelmed, the site is unable to respond to genuine user traffic.

Common DoS attack types include:

UDP floods – where User Datagram Protocol (UDP) packets overwhelm randomized ports on a target server

ICMP floods – leveraging Internet Control Message Protocol (ICMP) requests to consume available bandwidth

SYN floods – aimed at exhausting a system‘s SYN request queue capacity

While DoS attacks rarely originate from botnets or compromised devices, the scale of traffic from even one computer can be enough to take all but the most robust web servers offline.

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack operates similarly to DoS – with both aiming to make online resources inaccessible to users. However, DDoS assaults utilize multiple connected machines to amplify the scale and force of traffic directed at victims.

In a DDoS attack, the perpetrator first infects thousands of insecure computers, servers and IoT devices with malware. This network of compromised machines forms a "botnet" which can be remotely instructed to flood desired targets with junk traffic in unison.

With traffic originating from tens of thousands of unique IP addresses rather than one, DDoS assaults can overwhelm systems with upwards of 50-100x the traffic of traditional DoS attacks.

DDoS Attack Botnet

Where a single computer might muster only 5Gbps of traffic on its own, botnets containing hundreds of thousands of devices can generate floods exceeding 1Tbps – more than enough to crush most network infrastructures.

The motives behind DDoS attacks vary widely, from cyber extortion to hacktivism, disputes between competitors, or simple vandalism. Yet regardless of purpose, these attacks deny access to vital websites, apps, APIs and network resources.

Main Types of DDoS Attacks

DDoS assaults can be grouped into three primary categories based on their mechanics:

Volume-Based Attacks

Volume-based DDoS tactics aim to simply overwhelm networks with more traffic than they can handle. Attack vectors include:

UDP floods – barraging randomized UDP ports on servers to use up resources responding.

ICMP floods – exhausting networks via sustained ICMP echo requests.

Other spoofed packet floods – leveraging forged sender IP addresses.

Volume overload attacks don‘t require sophistication to execute but can be highly disruptive to unprepared networks.

Protocol Attacks

Protocol or state exhaustion attacks target infrastructure management tools like firewalls and load balancers. They send malformed packets which confuse devices into tying up significant resources.

SYN flood attacks – continuously making new TCP connections to consume all available slots.

Fragmented packet attacks – forcing servers to spend resources re-assembling broken up data.

Application Layer Attacks

Application layer assaults focus on disrupting web servers and applications themselves using seemingly legitimate HTTP requests.

Slowloris attacks – opening partial connections the web server must keep alive, eating resources.

GET/POST floods – overloading servers with continuous streams of static resource requests.

SSL renegotiation attacks – repeatedly forcing TLS re-handshakes.

Defending against application attacks is challenging since malicious traffic appears identical to normal user requests for site content.

Recent High Profile DDoS Attacks

  • 2022 – A massive DDoS exceeding 21 million RPS overwhelms Cloudflare‘s systems, causing widespread regional service disruptions.

  • 2021 – Hacktivist group REvil launches a 7 day DDoS extortion assault on web host hostkey.ru demanding an $800K ransom.

  • 2020 – Imperva mitigates a 1.7 Tbps memcached reflection attack against GitHub, one of the largest ever recorded.

  • 2019 – China launches DDoS attacks against encrypted messaging app Telegram after Hong Kong protestors adopt the platform.

  • 2017 – Massive Mirai IoT botnet DDoS takes down DNS provider Dyn, severing access to Twitter, Spotify, Reddit and other major sites.

These and similar large-scale attacks demonstrate the havoc DDoS can unleash on unprepared organizations.

Why Launch a DoS or DDoS Attack?

Those behind these assault types don‘t actually compromise target servers or infrastructure. Rather, they simply prevent others from being able to access it through resource exhaustion.

Motives for DDoS and DoS attacks include:

  • Extortion – extracting blackmail payments in return for halting an ongoing attack
  • Hacktivism – advancing political ideologies by censoring opponents
  • Revenge – cyber vandalism between business competitors or feuding groups
  • Distraction – occupying defenses while intruding systems elsewhere

Regardless of specific goals, the end result focuses on denying availability of key infrastructure and sites.

The Rising Danger of DDoS Botnets

A troubling trend has emerged regarding the scale of top-tier DDoS assaults – with wider availability of unsecured servers, routers, smartphones and Internet of Things (IoT) devices providing armies of new cyberattack drones.

Modern botnets already contain millions more nodes than predecessors like 2010‘s 100,000-strong Mariposa network. The recent Echobot botnet, for example boasted over 2 million IoT devices under its control.

Research indicates these massed botnets can now unleash devastating DDoS floods exceeding 50 Tbps – presenting an exponentially growing danger to organizations. Without adequate protections in place, few networks stand a chance against attacks of this magnitude.

Quantifying the DDoS Threat Landscape

Statistics regarding DDoS and DoS attacks illustrate the increasing risks they pose to organizations:

  • 55% of firms suffered a DDoS attack in 2021 – up from 39% in 2020 (Neustar)
  • 7.3 million DDoS attack events occurred in first half of 2022 alone (Kaspersky)
  • Average DDoS durations grew from 95 minutes in 2020 to 358 minutes by mid 2022 (NETSCOUT)
  • Maximum recorded DDoS attack bandwidth jumped 35% in 2021 reaching 17.5 Tbps (Cloudflare)
  • Estimated $114k per hour in costs for an average business to suffer DDoS-related downtime (Radware)
  • Industry most targeted by DDoS in 2022 is finance/banking at 46% of attacks (NETSCOUT)

The numbers speak for themselves – DDoS represents an increasingly severe threat environment for modern organizations. Just a single hour of infrastructure-crippling assault can equate to enormous losses.

How Can Businesses Mitigate DDoS Threats?

While no silver bullet solution exists to deter all DDoS attacks, organizations can take several steps to minimize risks and enhance resilience:

Monitor Traffic for Anomalies

By closely following inbound connection volumes, request types and geographies, deviations from baseline activity become quicker to detect. Sudden traffic spikes could indicate DDoS reconnaissance or ongoing attacks.

Employ DDoS Prevention Services

Specialized cloud scrubbing services divert and filter attack traffic before it reaches internal networks. This burdensome task allows infrastructure to maintain availability despite assault.

Architect Redundancy and Elasticity

Distributing critical systems across cloud providers lets resources scale dynamically while preventing single points of failure. If one provider falls victim to DDoS, automatic failover kicks in.

Harden Public-Facing Assets

Analyze exposed servers and apps for vulnerabilities, applying latest security patches and hardening configurations. Reduce risks of assets secretly transitioning into DDoS botnet nodes.

Develop Incident Response Plans

Documenting procedures for traffic diversion, black holing, system isolation and escalation ensures teams aren‘t scrambling during actual events. Establish DDoS runbooks and test via fire drills.

Continuously Monitor Systems

Employing exploratory threat scanning, intrusion detection, endpoint monitoring and log analysis makes spotting risks easier across infrastructure. Tune tools to flag abnormalities like suspicious outbound connections.

Emerging DDoS Attack Vectors and Trends

As with any facet of cybersecurity, DDoS attackers constantly evolve tactics to evade protections. Several emerging trends should stay on organizations‘ radars:

Internet of Things (IoT) Botnets

Poorly secured IoT devices like smart cameras, wearables and connected appliances are recruited into botnet armies daily. Their computational resources add up quickly – with incidents like the 10 million node Meris botnet applying immense pressure on targets.

Encrypted Traffic Floods

Where DDoS traffic once originated over sole cleartext protocols, modern HTTPS and QUIC floods blend seamlessly into legitimate encrypted traffic – frustrating DDoS defenses reliant on analyzing unencrypted streams.

Multi-Vector Attacks

Savvy attackers will unleash multiple simultaneous or alternating attack types to counter adaptive mitigations. For example, a protocol flood diverts defenses before launching an HTTPS application layer attack.

Exhaustion of Critical Services

Rather than focusing directly on web infrastructure, devious assailants target adjacent systems like email services, DNS providers or upstream ISP links to indirectly incapacitate organizations.

Legal Efforts Against DDoS Perpetrators

While global law enforcement efforts to combat DDoS attacks are ongoing, authorities face major challenges in apprehending sophisticated perpetrators who utilize technical means to mask identities.

Jurisdiction also poses issues, since botnets span numerous countries and perpetrators themselves reside anywhere with an internet connection. An attack victim‘s own government may consider tracking down foreign threat actors low priority.

Nonetheless, some laws provide DDoS and DoS attack victims paths to restitution:

  • US Computer Fraud and Abuse Act (CFAA) – Makes many DoS/DDoS tactics illegal, permitting criminal cases against perpetrators

  • Contraventions Act 1984 – Canadian law under which DDoS attackers can face fraud charges and arrests

  • Computer Misuse Act 1990 – UK law criminalizing DoS assaults and allowing extradition requests

Organizations should report all DDoS incidents to appropriate Computer Emergency Response Teams (CERTs) per local regulations. But ultimately, legal pursuits remain challenging. Self-help by enhancing defenses stays essential.

The Bottom Line

For modern digitally-driven enterprises, DDoS attacks represent an omnipresent threat with steep risks should resilience falter. By understanding the spectrum of DDoS and DoS tactics in play and instituting layered defenses, organizations of all sizes can keep services online and customers happy in the face of attempted disruption.

There exist no silver bullet solutions. But with continuous security monitoring, stress testing, redundancy mechanisms and DDoS mitigation services covering on-premise and cloud infrastructure, companies can thrive safely despite the eye watering scale of modern-day cyber assaults.

Tags: