“I support freedom of expression, no matter whose, so I oppose DDoS attacks regardless of their target… they’re the poison gas of cyberspace.”
– John Perry Barlow
Definitions:
A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the availability of a service or resource by overwhelming it with illegitimate traffic or requests, typically from a single source. In a classic DoS scenario, one host (or a single attacker) sends a flood of packets or exploits a vulnerability to exhaust the target’s network bandwidth, CPU, memory, or other resources, thereby denying service to legitimate users.
Distributed Denial-of-Service (DDoS) attack is essentially a large-scale DoS attack launched simultaneously from multiple compromised machines (hence “distributed”) to overwhelm the target. In a DDoS, an attacker typically controls a network of zombie hosts (a botnet) which collectively send traffic or requests to the victim, amplifying the attack power far beyond a single machine’s capacity.
Differences:
- Number of Attack Sources: A DoS attack comes from one host or a small group under one attacker’s control. A DDoS attack involves many distributed sources, often hundreds or thousands, acting together.
- Scale and Impact: DDoS attacks generate much more traffic than a DoS. They can overwhelm high-bandwidth connections and large server clusters.
- Attack Complexity: DDoS attacks often use several tactics at once. Attackers first infect devices with malware to build a botnet. Then they control these bots through command servers and launch a coordinated attack.
- Attribution and Evasion: DDoS traffic comes from many unrelated IPs. These are often spoofed or from infected devices like IoT gadgets and servers. This makes traceback hard. DoS attacks are easier to trace and block, though attackers may still spoof their IPs or use anonymity networks. Some DDoS attackers rent botnets through “booter” services.
- Mitigation Difficulty: A DoS attack may be stopped by blocking one IP. A DDoS attack is harder to stop. It requires advanced tools to filter traffic from many sources. These include DDoS protection systems, scrubbing centers, or content delivery networks. Smarter tools like traffic anomaly detection or challenge-response checks help separate attack traffic from real users.
Despite these differences, a DDoS is still a type of DoS. The goal is the same: to deny access to a service. DDoS attacks use many machines to boost traffic and make defense harder. Both rely on the imbalance in resource cost. It’s cheap for attackers to flood a system, but expensive for the target to manage the load.
Common DoS and DDoS Attacks:
Over the years, attackers have developed numerous tools to automate DoS and DDoS attacks. These range from simple single-host scripts to complex distributed botnet frameworks. Table 1 summarizes some well-known attacks, the typical OSI layer or protocol they target, and a brief description:
| Category | Attack Name | Datasets | Target Layer / Protocol | Brief Description |
|---|---|---|---|---|
| TCP | TCP SYN Flood | CICIDS2017, CSECICIDS2018, CICDDoS2019, EdgeIIoTset | L4 / TCP | Floods server with SYN packets, exhausting connection queue. |
| Generic TCP Flood | CICIDS2017, CSECICIDS2018, CICDDoS2019, BotIoT | L4 / TCP | High-rate TCP traffic (mixed flags) saturates server handling. | |
| Teardrop (Fragment) | KDD99, UNSWNB15, CSECICIDS2018 | L3 / IP | Overlapping IP fragments disrupt packet reassembly. | |
| UDP | UDP Flood | CICIDS2017, CSECICIDS2018, CICDDoS2019, EdgeIIoTset | L4 / UDP | High-volume UDP packets overwhelm target with responses. |
| UDP-Lag | CICDDoS2019 | L4 / UDP | Slow-rate packets keep resources engaged without detection. | |
| NetBIOS Flood | CICDDoS2019 | L4 / NetBIOS-NS | Spoofed NetBIOS queries generate amplified traffic to victim. | |
| Portmap Amplification | CICDDoS2019 | L7 / RPC | Exploits RPCbind to amplify traffic toward target. | |
| SNMP Amplification | CICDDoS2019 | L7 / SNMP | Massive SNMP replies reflect to victim using spoofed requests. | |
| ICMP | Ping Flood | UNSWNB15, CICIDS2017, CSECICIDS2018, CICDDoS2019, EdgeIIoTset | L3 / ICMP | Excessive Echo Requests saturate target’s reply bandwidth. |
| Smurf Attack | KDD99, CICDDoS2019, CSECICIDS2018 | L3 / ICMP (Broadcast) | Broadcast ICMP with spoofed source reflects large reply sets. | |
| Ping of Death | KDD99, CSECICIDS2018 | L3 / ICMP | Malformed or oversized ICMP packets cause crashes. | |
| HTTP | HTTP GET/POST Flood | CICIDS2017, CSECICIDS2018, EdgeIIoTset | L7 / HTTP | Massive number of requests exhaust server-side threads. |
| WebDDoS (ARME) | CICDDoS2019 (on the official website only, but not in the downloaded dataset) | L7 / HTTP | Randomized HTTP traffic evades caching and overloads servers. | |
| Slowloris (Headers) | UNSWNB15, CSECICIDS2018 | L7 / HTTP | Slow headers keep HTTP connections open indefinitely. | |
| Slow POST (R.U.D.Y.) | CSECICIDS2018 | L7 / HTTP | Slow POST bodies occupy server threads with long-lived connections. | |
| Slow Read | UTSA-LowRate-DoS, CSECICIDS2018 | L7 / HTTP | Tiny advertised TCP windows stall server-side sending. | |
| Slow HTTP Test | CSECICIDS2018 | L7 / HTTP | Combined slow attack types simulating realistic HTTP traffic. | |
| DNS Amplification | CICDDoS2019, CSECICIDS2018 | L7 / DNS | Open resolvers reflect large responses to spoofed DNS queries. | |
| HULK (HTTP Unbearable Load King) | CSECICIDS2018 | L7 / HTTP | High‑rate obfuscated HTTP GET flood that evades caching and hits direct server resources. | |
| GoldenEye | CSECICIDS2018 | L7 / HTTP | Layer‑7 HTTP flood using persistent connections (Keep‑Alive) to exhaust sockets. | |
| Others | NTP Amplification | CICDDoS2019 | L7 / NTP | Spoofed monlist or read requests yield large amplified replies. |
| SSDP Amplification | CICDDoS2019 | L7 / SSDP | M-SEARCH queries trigger device responses reflected toward victim. | |
| LDAP Amplification | CICDDoS2019, CSECICIDS2018 | L7 / LDAP | Spoofed CLDAP requests return large directory responses to victim. | |
| MSSQL Amplification | CICDDoS2019 | L7 / MSSQL | SQL Resolution Service reflection yields large UDP responses. | |
| TFTP Amplification | CICDDoS2019 | L7 / TFTP | TFTP requests to misconfigured servers can generate amplified responses (~ 60×). |
