DoS Attack vs DDoS Attack
A denial of service (DoS) attack is a cyberattack aimed at impacting the availability of a target system. An attacker uses a single source to flood a target system with requests, overwhelming the system (a service, server, or network) and rendering it incapable of processing requests - resulting in a denial of service to legitimate users.
A Distributed Denial of Service (DDoS) attack is a type of DoS attack. It involves attacker(s) using multiple compromised sources to produce a volumetric attack. These distributed sources could include a botnet - a network of computers infected with malicious software that are controlled as a group.
What is the difference between a DoS attack and a DDoS attack?
A DDoS attack is a type of DoS attack. Their key difference is that a DoS attack stems from a single source/ IP address, while a DDoS attack, as its name implies, is distributed: it originates from numerous sources / IP addresses.
A DDoS attack, by using numerous compromised devices, can intensify the attack and make it harder for the target to recover and defend against the attack.
What are the different types of DDoS attacks?
You can group DDoS attacks based on the targeted Open Systems Interconnection (OSI) layer. Most commonly, attacks happen at the Network (OSI layer 3), Transport (OSI layer 4), and Application (OSI layer 7) layers.
Layer ¾ DDoS Attack
Layer ¾ DDoS attacks occur at the infrastructure layer of a target system. Layer 3 is the network layer responsible for deciding which physical path data should move through within the network. Layer 4 provides data transfer between hosts and ensures data integrity and completeness of transfer- which is performed by the Transport Control Protocol (TCP).
DDoS attacks at layer 3 + 4 are done by sending massive amounts of traffic volume to the system in an effort to overload the network’s available capacity.
Common attacks at layers 3 + 4 include: UDP Floods, SYN Flood Attacks, and Internet Control Message Protocol (ICPM) attacks.
Layer 7 attacks
Layer 7 DDoS attacks target the application layer - while not as common as layer 3/4 attacks, layer 7 attacks are more sophisticated and therefore require more resources to mitigate.
Layer 7 DDoS attacks target critically important parts of an application with the goal of negatively impacting its performance. A common example of a layer 7 DDoS attack is flooding an application’s login page with requests or targeting an exposed API with a costly search request. Remediating these attacks can be very costly for a business.
What advantage does a DDoS attack have for attackers?
The nature of a DDoS attack (being distributed) helps a bad actor achieve their nefarious aims, making it a popular choice for effectively crippling a target system:
A DDoS attack is often most successful because:
By its distributed nature, a DDoS attack can be difficult to pinpoint: with efforts stemming from various attacking systems, it can take time and resources for orgs to identify the source of an attack and stop it.
With more attacking systems in play, the scale and impact of an attack can be greater.
Once a source (or sources) of an attack are identified, it can take time and effort to shut down the attack source(s), meaning more time for the attack to carry on.
Hidden behind different attack sources and locations, it can be very difficult to identify the party (ies) responsible for the attack, making it easier for bad actors to hide.
What are the different categories of DoS attack?
Volumetric Attacks
The overarching goal of volumetric attacks is to overload the target system’s bandwidth and resources via an influx of traffic into their system. When these volumetric attacks are carried out via multiple attacking systems, they are a distributed volumetric attack : a volumetric DDoS attack.
Examples of volumetric attacks include SYN Flood attacks, ICMP flood attacks, UDP flood attacks, HTTP flood attacks, DNS amplification attacks.
Application Layer Attacks
The goal of application layer attacks it to target specific elements of a target’s systems: this could be specific applications or services running on the target’s servers. These attacks exploit vulnerabilities within target systems and rely on the target’s inability to quickly and effectively mitigate malicious activities. Again, when performed by multiple attack systems, they are classified at a DDoS application layer attack.
Examples of application layer attacks include a layer 7 DDoS attack, protocol attacks, and HTTP/2 continuation floods or HTTP/S encrypted floods.
How can you protect yourself against DoS and DDoS attacks?
There are several efforts you should put in place to ensure your systems and applications are protected against Dos and DDoS attacks. You can read here for a more in-depth look at defending against DDoS attacks.
Gather an understanding of your traffic patterns
Organizations should establish a ‘traffic profile’ that defines what ‘normal’ and ‘good’ traffic behavior looks like across their network. With this ‘normal’ defined, orgs can then establish traffic rules to accept traffic through the lens of what is good/normal, and block it based on what falls outside of expected traffic activity.
Fastly’s Rate limiting provides a baseline, allowing you to then put advanced detection methods in place to receive traffic that has been validated by analyzing additional variables.
Limit your organization’s exposure
A simple way to limit DDoS attacks is to shrink the available attack surface, thereby making it challenging for attackers to find an easy target. Areas of investigation should include limiting exposure to hosts, ports and protocols, and any applications you do not expect communication from. You can achieve this by placing your infrastructure resources behind a proxy Content Delivery Network (CDN): using the CDN, you can easily restrict where internet traffic can travel within your infrastructure. Use of a firewall or Access Control Lists (ACLS) can help control traffic from reaching specific applications.
Use an application-based firewall
A Web Application Firewall (WAF) like Fastly’s can help easily protect you against OWASP Top 10 attacks. This then allows you to focus on your custom traffic profile (mentioned above). Using your custom traffic profile, you can shield against additional invalid requests that target your systems. A WAF is also helpful in mitigating attacks since it allows you to leverage experienced support to study your traffic and create custom-tailored protection for your applications.
Increase scale, by design
As an addition to the above efforts, you can increase your bandwidth capacity and/or server capacity to help absorb and mitigate any attacks - essentially increasing your system’s ability to be bombarded with requests and still remain operational . A common practice is to use load balancing to continually monitor and shift loads between available resources to prevent overloading any one point.
Tools like Fastly’s DDoS protection deploy rapidly and immediately protect against application DDoS attacks. Leveraging our network’s massive bandwidth and adaptive techniques, Fastly DDoS Protection automatically keeps you performant and available without any required configuration.
