DoS vs. DDoS attacks: What’s the difference?

Tips & tricks
11 mins
Laptop with crosshairs.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have become increasingly prevalent for many years, especially within the gaming industry. Both create disruptions for companies and individual users by disabling networks, websites, and services by sending a massive amount of traffic to servers. 

Although often discussed interchangeably, DoS and DDoS attacks have distinct characteristics and impacts. Let’s break down the differences between these attacks, explain why they matter, and discuss how you can protect yourself or your organization from falling victim to these disruptions.

What is a Denial of Service (DoS) attack

A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. 

DoS attacks achieve this by sending more requests than the server can handle, preventing legitimate requests from being fulfilled. This is done using a single computer and internet connection, making it simpler and less resource-intensive than other forms of cyber attacks.

Metaphorically speaking, this would be akin to deliberately causing a traffic jam.

The easiest form of a DoS attack is one that simply requests content from a site (i.e., a web page, a file, or a search request). This request will consume resources for both the person making it and the person(s) being attacked. In theory, if you have more resources than the service you are attacking, you could take the service down for the duration of the attack.

Some operations might be very resource-intensive on the targeted service but require little to no resources on the side of the attacker. If a service is unprepared, it becomes an easy target.

Most services, however, will limit the amount of resources spent on each visitor, preventing a single user from using up all its resources. The service might also block a user completely if their activity is deemed suspicious. In other cases, a service might prompt for a captcha, slowing down automated attacks.

What is a Distributed Denial of Service (DDoS) attack

A Distributed Denial of Service (DDoS) attack, similar to a DoS attack, aims to disrupt the normal functioning of a targeted server, service, or network. However, unlike DoS attacks, DDoS attacks utilize multiple compromised computer systems as sources of attack traffic.

Exploited machines can include computers and other networked resources such as IoT devices. DDoS attacks significantly increase the scale and impact of the assault, making them harder to stop and mitigate due to the multiple sources of incoming traffic.

Defending against a DDoS attack is more difficult. Instead of a single user with a single machine flooding a service with requests, there are thousands or even millions of machines (called botnets).

Botnets are a group of compromised devices that are connected to the internet, such as desktop computers, routers, or even security cameras. They are remotely controlled by a group of attackers, who often rent them out on an hourly basis for the sole purpose of DDoS Attacks.

Read more: 7 examples of the biggest DDoS attacks

Difference between DoS and DDoS attacks

The main difference is a DoS attack is launched by a single user from one computer, while a DDoS attack is larger in scale, using multiple devices.

DoSDDoS
Denial of ServiceDistributed Denial of Service
Attack comes from one computerAttack comes from a multi-device botnet
Can block by using a firewallCan’t block with only a firewall
Easy to traceDifficult to trace
No malware involvementUses devices infected by malware

Common types of DoS and DDoS attacks

Ping of death

Also known as an Internet Control Message Protocol (ICMP) flood attack, a ping of death attack uses misconfigured network devices to send spoof packets to every computer on a targeted network. Because the spoof packets are not properly formatted, they will cause computers to crash after receiving them.

UDP flood

User Datagram Protocol (UDP) packets are like carrier pigeons. Normally, each pigeon carries a message addressed to someone in the neighborhood (or some port in the computer). However, in a UDP flood attack, the attacker sends a swarm of carrier pigeons (spoofed UDP packets) with messages to recipients who don’t exist. While attempting to handle the flood of spoofed packets, the target computer uses up all its resources, shutting down packets from legitimate users.

Ping flood

Similar to a UDP flood, a ping flood involves an attacker flooding a target computer with ICMP packets. The goal is to send ping packets as quickly as possible without waiting for a response. This then renders the target computer unreachable via brute force.

SYN flood

This involves attackers sending SYN requests to a targeted computer, which then replies with a SYN-ACK response. At this point, the computer expects an ACK response. However, in a SYN attack, no response is sent at all. The increasing pile of SYN messages ties up the resources on the computer, making it impossible for legitimate devices to establish a connection.

Slowloris

Named after the animal, slowloris is a hacking tool that sends incomplete HTTP requests to computers with no intention of actually completing them. The targeted computers will then keep connections open, thereby denying any legitimate incoming connection attempts.

HTTP flood

This is a high-volume attack that utilizes a flood of illegitimate HTTP requests, webpage resources, and POST requests sending web forms. Once again, the sheer number of these requests overloads the computer or web applications, making it inoperable. This is generally achieved by using internet-connected devices that have been hijacked with the aid of malware or bots.

Zero-day attack

A zero-day attack occurs when hackers or malicious actors are able to exploit a critical security flaw before it can be rectified by a software developer. In other words, attackers seek to take advantage of vulnerabilities that have not been discovered yet.

Teardrop attack

A teardrop attack works by gradually sending data fragments to a target network. Once sent, an attempt is made to recompile the data fragments into their original state. If successful, the target system is overwhelmed by the recompiling process and eventually crashes.

How to prevent DoS and DDoS attacks

As with most things in cybersecurity, the best approach is to use a combination of proactive and reactive measures. Some planning, some defensive technologies, and proactive monitoring will give you the best chance of suffering the least amount of damage. Let’s go through the main things to consider.

For individuals: Use a VPN

A VPN download is the easiest solution for a home or small network. A VPN protects you by putting a server between you and the attacker. Because you are given a different IP address, it’s harder for someone to target you specifically—and yes, DoS or DDoS attacks tend to be directed toward a specific person or company. 

For companies:

Robust network architecture

Design your network with redundancy and resilience in mind. Use multiple, geographically dispersed servers, load balancers, and failover systems to distribute traffic evenly and maintain service continuity even under attack.

Anti-DDoS hardware and software 

Implement anti-DDoS hardware solutions and software that can detect abnormal traffic flows and filter out malicious traffic. These tools often include rate limiting, traffic shaping, and deep packet inspection to help mitigate attack impacts. These might not be feasible for you if you have a small infrastructure budget, but provide solid protection.

Upgrade bandwidth 

While not a stand-alone solution, having more bandwidth than you typically need can absorb higher traffic volumes during an attack. This is not foolproof but can be helpful when combined with other defensive strategies.

Response plan

Have a response plan in place that includes procedures for identifying, mitigating, and recovering from attacks. Ensure that all team members know their roles in this plan so you can react quickly and disrupt your users as little as possible.

Secure configuration

Ensure that all networked devices are securely configured to minimize vulnerabilities. This mostly includes regularly updating and patching systems to fix security holes that could be exploited by attackers, but also carefully monitoring your configurations regularly and also after every update.

Cloud-based DDoS protection services

Leverage cloud-based DDoS protection services that can absorb and scrub large-scale attack traffic away from your network. These services can scale dynamically to handle unexpected surges in traffic and deal with attacks constantly, so they’re extremely prepared for this. One such service is Cloudflare, but there are many others.

Education and awareness

Educate your staff about the risks and signs of DoS and DDoS attacks. Regular training and awareness programs can help prevent accidental behaviors that might lead to vulnerabilities, and will also help you identify an attack quickly.

Simulate DoS attacks

You know what they say: Practice makes perfect! Running simulations can be a great way to train your staff how to recognize all the signs of a DoS as they happen, and further safeguard your systems from external threats.

Why do DoS and DDoS attacks occur?

Ransom

DoS or DDoS ransom attacks involve inundating a target’s system or website with requests to render them inaccessible. Once compromised, an attacker will demand a ransom to lift the attack. There is, however, no guarantee that everything will go back to normal once a ransom is paid.

Revenge

A current or former employee may be harboring a grudge against you and has undertaken a DoS/DDoS attack to exact revenge.

Competition

Competitors in your market may resort to unethical tactics in an attempt to steer potential consumers away from your business—and this might mean making your website or service inaccessible via a DoS/DDoS attack.

Hacktivism

A portmanteau of hack and activism, hacktivism is the use of technology as a form of protest. In this context, attackers may disagree with you for corporate or political reasons. Hacktivism is usually directed towards governments or large corporations.

Read more: Is this attack a hack… or hacktivism?

Pranks

DoS/DDoS attacks are easy to execute and can sometimes be performed purely for the amusement of the attackers.

Nation-state funded DDoS attacks

When carried out by well-funded actors, such as nation-states, DDoS attacks become almost impossible to defend against due to the scope of the attack. DDoS Attacks pose a serious threat to the freedom of speech online, as they are done in extrajudicial secrecy and without accountability.

For example, China has in the past repurposed its Great Firewall to initiate DDoS attacks against Github for hosting mirrors of newspaper articles. British spy agency GCHQ is also reported to have used DDoS attacks as retaliation against hacker groups Anonymous and LulzSec. These high-level types of attacks are referred to as “Advanced Persistent DoS Attacks.”

DDoS Attacks can be executed for a variety of reasons. Sometimes their goal is purely political or an act of vengeance against a previous attack. Attacks can also be carried out for business reasons, for example, to “convince” the customers of a competitor to switch products.

A large and efficient DDoS attack can be expensive, so damage is often limited to just a few hours or days of outage, as the perpetrator cannot afford to sustain it any longer. Still, for a business, even this short time can have serious commercial implications.

Many attackers will use a DDoS attack for the purpose of extortion. Initially, a small attack is launched against a target, followed by a request for ransom. If the target does not pay, a larger DDoS Attack usually follows, sometimes followed by another ransom request.

Paying the ransom, in this case, is not wise. Other attacks will soon follow (as everyone knows it will pay out). There are many potential attackers out there, so the promise of one group to “not attack” again is meaningless. Investing the capital in DDoS protection is much wiser.

Read more: What is ransomware, and how to prevent it?

Email bomb DoS attacks

DoS attacks can also be launched against those who do not operate a web service. For example, your email inbox can be the target of what is called an email bomb.

During an email bomb attack, a user will receive a large number of e-mails, some with massive attachments, others designed to trigger alerts on the user’s system. If the system, particularly the spam filter, is poorly configured, this can crash the email server or the client (e.g., Outlook) used to read the email. For the duration of the attack (and possibly longer), the e-mail service will be disrupted. It’s possible that all emails received during the attack are lost, or will take a long time to filter through to the user.

But DDoS attacks don’t just hit computers—they can make any online device unusable. One possible method to achieve this involves a fake online ad taken out in the name of the victim, for example for an absurdly cheap car in a big city. The resulting flood of emails and phone calls can be of great inconvenience to the victim. And as they are all non-automated messages from real people, they are very hard to defend against or block.

In extreme situations, getting a new email address or phone number can be the best choice for the victim. A well-configured and popular email provider, such as Google or Apple, will go a long way in defending against attacks, however.

FAQ: DoS and DDoS attacks

Can you accidentally DDoS someone?
Is it illegal to DDoS attack a website?
How do DDoS and DrDoS attacks differ?
How can I detect a DDoS attack?
Can I use a CDN to protect my network against DDoS attacks?
Can I trace a DDoS attack?
Hi, you've reached Marcus. Dial '1' for privacy, '2' for point and click adventure games, and '3' for paranormal stories. For all other enquiries, please stay on the line and he'll be with you shortly.