You are currently viewing DoS vs DDoS: Differences and methods of mitigation

DoS vs DDoS: Differences and methods of mitigation

For any website to work well, it is essential to ensure reliable connectivity and protect it from attacks and hacks. After all, hacker attacks, regardless of their type, result in one thing: the site’s failure or the substitution of a copy by intruders. Minimizing the damage caused by “man-made failures” will only work if the server administrator understands what kind of problem he is facing.
Today we are going to talk more about DoS and DDoS attacks.

What is a DoS attack?

DoS (Denial of Service) attack – literally “denial of service”. It is a type of attack in which rogue attackers attack to cause an overload of the service subsystem. In this case, the computer (or computers) is used to flood the server with TCP and UDP packets.


Characteristics of DoS attacks

  • Single attack. Malicious packets are sent from one network.
  • High visibility. Attempts to “takedown” a website can be found in the log files.
  • Ease of suppression. DoS attacks can be easily prevented by blocking the source. A system administrator or network filters can do this by analyzing the traffic.
The ease of coordinating DoS attacks means that they have become one of the most common cybersecurity threats facing modern organizations. DoS attacks are simple but were very effective in the 1990s. Now they have evolved into DDoS attacks and can cause devastating damage to the companies or individuals they target. A single attack can take an organization offline for days or even weeks.


A bit of history

The first successful DoS attack took place in 1974, when a 13-year-old schoolboy, David Dennis, caused an outage at the University of Illinois Computer Computing Laboratory terminals. He discovered a feature in which the EXT command caused the terminal to hang if it had no peripherals. He wrote a small program that sent an EXT command to all available machines and simultaneously hung 31 terminals.


What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is essentially the same as a DoS attack but launched from multiple machines on a single target host. The difficulty of defending against this type of attack depends on the number of devices from which traffic is sent, which is why this type of attack occupies a vital place in hackers’ arsenal.


A DDoS attack is more difficult to detect its source because the hacker uses an entire network of interconnected machines or bots. Traditionally, attacks are launched from virus-infected computers of ordinary users who have no idea they are unwitting accomplices to the crime. But not so long ago, a new way of doing this is by using IoT devices (smart kettles, coffee makers, hoovers and other appliances) to launch attacks. The point is that since smart gadgets have access to the Internet, it means they can participate in a DDoS attack.


These computers and appliances form a botnet – a single network controlled by the attacker, aka botmaster, from a master control server (C&C). Such a structure allows a hacker to coordinate attacks simultaneously from multiple systems that range in size from tens to millions of devices.


One prime example is the Mirai botnet; With its help, a large-scale DDoS attack on Dyn servers was organised back in 2016. Analysts note that the new worm now has a much wider arsenal of exploits – it directly attacks and infects PCs and smart equipment. In 2019, Mirai took over nearly 500,000 devices and damaged services such as Xbox Live and Spotify and websites like the BBC and Github.


Features of DDoS

  • Multi-threaded attack. The ability to attack a resource from multiple hosts means that the chances of a server being “taken down” are much higher than a DoS attack. If an attacker has hundreds, thousands, or even millions of bots on different hosts, even the most powerful and protected systems will not survive the attack.
  • Stealth. Malicious traffic from multiple hosts appears “alive” to security filters and administrators, making DDoS detection difficult. But if you remain vigilant and follow the advice we give at the end of this article, it’s still possible to detect an attack.
  • Difficult to suppress. Stopping a high-powered DDoS attack is extremely difficult. Difficulties may arise not only in suppressing an attack that has already been launched, but also in detecting the attack itself. The thing is that in order to stop a DoS-attack the administrator only needs to ban one IP-address. When it comes to DDoS, it can be as many as +100500 IP addresses, which is difficult to deal with promptly.

When was the first DDoS attack?

On 22 July 1999, the University of Minnesota server stopped responding. The admins analyzed the network traffic and realized that the university’s server was under attack like no one else had ever faced. Thus began the era of DDoS.


We conclude that the main differences between DoS and DDoS are…

…manifest themselves in the way they are technically implemented. DoS attacks come exclusively from a single source, whereas DDoS attacks are conducted from two or more hosts. A multi-threaded DDoS attack is much more difficult to detect because the requests look “live” and are less suspicious to the administrator. At the same time, DDoS attacks enable the hacker to send large volumes of traffic to the target network.
You could say all DDoS = DoS, but not all DoS = DDoS.

Why do DoS and DDoS attacks take place?

Attacks target corporate servers and websites, and much more rarely personal computers of individuals. The goal of such attacks is usually the same – to inflict economic harm on the victim while remaining in the shadows. In some cases, DoS and DDoS attacks are just a stage of hacking a server and aim to steal or destroy information. In essence, a victim of malicious attackers can be a business or a site belonging to anyone.


There is a myriad of reasons why attackers take a business offline. For example:
  • Extortion is one common reason for an attack. After a successful hacking attempt, attackers will demand a ransom to stop the attack and get the site back online. But of course, giving money to hackers is not worth it – when there is no guarantee that your website will be restored.
  • Unfair competition. By shutting down your corporate network, competitors are trying to steal your customers from you.
  • Entertainment – young programmers launch attacks to show off to their friends, acquaintances and colleagues.
  • Personal, political animosity. The motive here is either disagreement with company policy.
  • Personal resentment from disgruntled employees who quit or are still working but are willing to disrespect their employer cannot be ruled out either.

Types of DDoS Attacks

HTTP floods – multiple regular or encrypted HTTP requests are sent to the attacked server, which floods the communication nodes.

ICMP floods – the victim host machine is overloaded with service requests to which it is obliged to give echo replies.

SYN floods – use one of the basic mechanisms of the TCP protocol (the algorithm “request-response”: SYN packet – SYN-ACK packet – ACK packet). The victim site receives a wave of fake SYN requests without a response. The channel is flooded with a queue of TCP connections from outgoing connections requesting their ACK packet.

UDP flood – victim’s host ports are flooded with UDP packets, and responses to these packets overload network resources.

MAC floods – network ports are flooded with streams of “empty” packets with different MAC addresses

Ping of Death – mass ICMP packets of large length are sent to the victim’s computer, resulting in a buffer overflow.

DNS spoofing – spoofing the IP address in the server cache redirects the user to a fake page. Once redirected, the attacker gains access to the user’s data.

Examples of major attacks

The first severe attack took place in 2000. The victims were the servers and websites of eBay, Amazon, CNN and Yahoo. Created by a 16-year-old enthusiastic hacker, the malicious algorithm called Sinkhole flooded the victims’ machines and brought them down.
In 2013, a conflict between Dutch hosting provider Cyberbunker and Spamhaus (an organisation that lists spammers) led to the former launching an attack on the latter. CDN Cloudflare took the first hit; then, the malicious traffic switched to its providers. The channel load was 300 Gbps.
Another example is the DDoS attack on Dyn (a domain provider), which took place in October 2016. We already mentioned this attack when talking about the Mirai botnet. Its power was one terabit per second and, according to some reports, could have been as high as 1.5 terabits per second – another “record” for the industry. Dyn’s services were shut down due to severe pressure and many well-known websites, including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb.


How do I know if my site is under attack?

If an attacker has succeeded in achieving their goal and “taking down” a server, it is impossible not to notice the attack. But there are some “red flags” that can help a sysadmin understand that a site is in danger. For example:
  • Unnatural behaviour of the server applications or operating system (freezes, crashes and so on).
  • Sudden increase of CPU, RAM and storage load compared to the initial level.
  • Traffic increase on one or more ports.
  • Multiple client requests to the same resources. This can be opening one page or downloading the same file.
  • Analysis of server, firewall and network device logs shows many uniform requests from different addresses, often directed to a specific port or service. Mainly if the site is targeted at a narrow audience (e.g. Dutch-speaking) and requests come from worldwide.

Is there prevention against such attacks?

Unfortunately, there is no one-size-fits-all way of dealing with scammers. But if you follow the recommendations and remain vigilant, you can keep yourself safe.
For example, the most effective way to protect against DDoS attacks is to filter suspicious network activity at the hosting or ISP level. It may be implemented using both network routers and special equipment.
Maintain version control of software and network services – you need to update your network services software in a timely manner.
Choose your hosting provider carefully. Choose a provider that guarantees protection from all modern threats. For example, at ArkHost DDoS protection is connected to hosting services (Shared Hosting), virtual servers (VPS) and virtual dedicated servers automatically for all users.
Use the application firewall and automate the inspection of network traffic and validation requests to server ports and services.
Distribute traffic using CDNs to speed up traffic and requests through distributed content storage.
Don’t forget the load balancer – if there is a suspicious load, the software detects the least busy server and sends the client to it.
In addition, it is desirable to have a clear plan of action in case the site crashes. It may include measures for the prompt connection of another server, reconfiguring DNS-hosts and so on.
And, of course, remain vigilant.
We hope that our post will help protect your infrastructure from attacks. We are always ready to share our useful experiences!
Read our articles on “Security”, where our leading ArkHost experts share their helpful tips and choose a reliable hosting with built-in protection against DDoS attacks.

How to prevent a DDoS attack

Filtering traffic based on content, IP addresses, and other parameters is considered the main way to protect it. There are two approaches to doing this:

  • Using a server and software of your own. This way you can control your infrastructure, and customize it to your needs.
  • Utilizing the anti-DDoS service. Thus, the company saves on equipment purchase and maintenance costs as well as IT specialists’ salaries. Protection issues are handled by a third-party organization.

The second method has been in demand on the market for five years. It is easier for companies to pay a fixed amount for protection with the ability to connect and disconnect additional anti-DDoS services.

Keep in mind that attacks often exploit vulnerabilities in an organization’s IT infrastructure. Therefore, it is important to regularly update all software components. It is also worth checking the ability of the corporate site and IT services to work even under a high load.

By collaborating with cloud providers, companies can get a comprehensive solution to protect their IT infrastructure, web applications, and online services from any type of DDoS attack. The providers use more powerful equipment and software technology solutions. Also, they have extensive experience in handling attacks and can quickly regain control of the situation to create conditions in which the load does not affect the availability of infrastructure, applications, and services.

Get your own Cloud Server(s) at ArkHost. With datacenter DDOS protection for your services.