DoS vs. DDoS
A denial-of-service (DoS) attack floods a server with traffic, making a website or resource unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers or machines to flood a targeted resource. Both types of attacks overload a server or web application with the goal of interrupting services.
As the server is flooded with more Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets than it can process, it may crash, the data may become corrupted, and resources may be misdirected or even exhausted to the point of paralyzing the system.
What Is the Difference Between DoS and DDoS Attacks?
The principal difference between a DoS and a DDoS is that the former is a system-on-system attack, while the latter involves several systems attacking a single system. There are other differences, however, involving either their nature or detection, including:
- Ease of detection/mitigation: Since a DoS comes from a single location, it is easier to detect its origin and sever the connection. In fact, a proficient firewall can do this. On the other hand, a DDoS attack comes from multiple remote locations, disguising its origin.
- Speed of attack: Because a DDoS attack comes from multiple locations, it can be deployed much faster than a DoS attack that originates from a single location. The increased speed of attack makes detecting it more difficult, meaning increased damage or even a catastrophic outcome.
- Traffic volume: A DDoS attack employs multiple remote machines (zombies or bots), which means that it can send much larger amounts of traffic from various locations simultaneously, overloading a server rapidly in a manner that eludes detection.
- Manner of execution: A DDoS attack coordinates multiple hosts infected with malware (bots), creating a botnet managed by a command-and-control (C&C) server. In contrast, a DoS attack typically uses a script or a tool to carry out the attack from a single machine.
- Tracing of source(s): The use of a botnet in a DDoS attack means that tracing the actual origin is much more complicated than tracing the origin of a DoS attack.
Types of DoS and DDoS Attacks
DoS and DDoS attacks can take many forms and be used for various means. It can be to make a company lose business, to cripple a competitor, to distract from other attacks, or simply to cause trouble or make a statement. The following are some common forms taken by such attacks.
A teardrop attack is a DoS attack that sends countless Internet Protocol (IP) data fragments to a network. When the network tries to recompile the fragments into their original packets, it is unable to.
For example, the attacker may take very large data packets and break them down into multiple fragments for the targeted system to reassemble. However, the attacker changes how the packet is disassembled to confuse the targeted system, which is then unable to reassemble the fragments into the original packets.
A flooding attack is a DoS attack that sends multiple connection requests to a server but then does not respond to complete the handshake.
For example, the attacker may send various requests to connect as a client, but when the server tries to communicate back to verify the connection, the attacker refuses to respond. After repeating the process countless times, the server becomes so inundated with pending requests that real clients cannot connect, and the server becomes “busy” or even crashes.
IP Fragmentation Attack
An IP fragmentation attack is a type of DoS attack that delivers altered network packets that the receiving network cannot reassemble. The network becomes bogged down with bulky unassembled packets, using up all its resources.
A volumetric attack is a type of DDoS attack used to target bandwidth resources. For example, the attacker uses a botnet to send a high volume of request packets to a network, overwhelming its bandwidth with Internet Control Message Protocol (ICMP) echo requests. This causes services to slow down or even cease entirely.
A protocol attack is a type of DDoS attack that exploits weaknesses in Layers 3 and 4 of the OSI model. For example, the attacker may exploit the TCP connection sequence, sending requests but either not answering as expected or responding with another request using a spoofed source IP address. Unanswered requests use up the resources of the network until it becomes unavailable.
An application-based attack is a type of DDoS attack that targets Layer 7 of the OSI model. An example is a Slowloris attack, in which the attacker sends partial Hypertext Transfer Protocol (HTTP) requests but does not complete them. HTTP headers are periodically sent for each request, resulting in the network resources becoming tied up.
The attacker continues the onslaught until no new connections can be made by the server. This type of attack is very difficult to detect because rather than sending corrupted packets, it sends partial ones, and it uses little to no bandwidth.
How To Improve DoS and DDoS Attack Protection
The following are some high-level best practices for DoS and DDoS protection:
1. Monitor your network continually: This is beneficial to identifying normal traffic patterns and critical to early detection and mitigation.
2. Run tests to simulate DoS attacks: This will help assess risk, expose vulnerabilities, and train employees in cybersecurity.
3. Create a protection plan: Create checklists, form a response team, define response parameters, and deploy protection.
4. Identify critical systems and normal traffic patterns: The former helps in planning protection, and the latter helps in the early detection of threats.
5. Provision extra bandwidth: It may not stop the attack, but it will help the network deal with spikes in traffic and lessen the impact of any attack.
DDoS attacks are evolving, becoming more sophisticated and powerful, so organizations require solutions that use comprehensive strategies—such as advanced reporting tools and analytics—to monitor countless threat parameters simultaneously. To protect an organization from known attacks and prepare for potential zero-day attacks, multilayered DDoS protection, such as FortiDDoS, is necessary.
FortiDDoS includes the Fortinet DDoS attack mitigation appliance, which provides continuous threat evaluation and security protection for Layers 3, 4, and 7.