DOS (Denial of Service), DDoS (Distributed Denial of Service), and DRDoS (Distributed Reflection Denial of Service) are all types of cyberattacks designed to overwhelm and disrupt the normal operation of a target system, network, or service. They vary in how they execute the attack, the tools involved, and the scale of the disruption.
1. DOS (Denial of Service)
Definition:
A Denial of Service (DOS) attack is an attempt to make a computer, service, or network resource unavailable to its intended users by overwhelming it with a flood of traffic or other malicious activities.
How It Works:- A single attacker sends an overwhelming amount of traffic to the target system, typically consuming all of its resources (e.g., memory, CPU, or network bandwidth), which makes it unable to function properly.
- The attacker does not have to compromise the target system; they simply disrupt its availability.
Common Types of DOS Attacks:- Flood Attack: The attacker sends a large volume of traffic, such as HTTP requests, to overwhelm the target server.
- SYN Flood: Involves sending SYN requests (part of the handshake process in TCP/IP communication) without completing the handshake, causing the system to reserve resources for these half-open connections.
- Ping of Death: A malicious packet is sent to the target system, often exploiting the fact that the target cannot properly handle large or malformed packets.
Example:- Ping Flood: An attacker could send continuous "ping" requests to a target machine, attempting to exhaust its resources, causing the target to slow down or become unresponsive.
2. DDoS (Distributed Denial of Service)
Definition:
A Distributed Denial of Service (DDoS) attack is a more advanced and powerful version of a DoS attack. It involves multiple computers (often distributed around the world), sometimes controlled by a botnet, working together to send traffic or perform actions to overwhelm and disable the target system.
How It Works:- In a DDoS attack, the malicious traffic is sent from numerous different sources, making it much harder to block since the attack is distributed across many machines.
- The attacker often exploits vulnerable devices to create a botnet, a network of infected machines, which are then used to flood the target with traffic.
Common Types of DDoS Attacks:- Volume-Based Attacks: These rely on overwhelming the target’s bandwidth by flooding it with high volumes of data.
- Example: UDP Flood, ICMP Flood.
- Protocol Attacks: These focus on exploiting weaknesses in layer 3 and layer 4 of the OSI model, like targeting network infrastructure.
- Example: SYN Flood.
- Application Layer Attacks: These aim to target the application layer (Layer 7) by sending requests that seem legitimate but overwhelm the server.
- Example: HTTP Flood, Slowloris.
Example:- Botnet Attack: An attacker could infect thousands of computers (forming a botnet) and direct all these infected devices to send requests to a website simultaneously. The website becomes overloaded and crashes.
3. DRDoS (Distributed Reflection Denial of Service)
Definition:
A Distributed Reflection Denial of Service (DRDoS) attack is a type of DDoS attack where the attacker sends requests to third-party servers, which in turn send a flood of traffic to the target, making it appear as though the attack is coming from those third-party servers.
How It Works:- The attacker sends a request to an open server (like a DNS server, NTP server, or others) with the target’s IP address spoofed as the source address.
- The third-party server responds to the request, sending a much larger response to the target than the initial request.
- Because the traffic is reflected through legitimate servers, it is much harder for the target or security systems to identify and filter out the malicious traffic.
Common DRDoS Techniques:- DNS Amplification: The attacker sends small DNS queries with the target's IP address as the source. The DNS server responds with a much larger response.
- NTP Amplification: Similar to DNS, but using NTP servers to amplify the attack.
Example:- DNS Amplification Attack: An attacker could send a DNS query to an open DNS resolver with the victim’s IP address as the source. The DNS resolver would send a much larger response to the victim, flooding them with traffic.
Key Differences Between DOS, DDoS, and DRDoS
| Aspect | DOS | DDoS | DRDoS |
|---|---|---|---|
| Source of Attack | One attacker or system | Multiple attackers or systems | Third-party systems used to reflect traffic |
| Scale | Limited, from a single source | Large-scale, distributed attack | Can be very large, utilizing multiple amplifying servers |
| Targeting | Targeting a specific system | Targeting a specific system or service | Reflecting attack traffic via third-party servers to overwhelm the target |
| Detection | Easier to detect (single source) | Harder to detect (multiple sources) | Harder to detect (reflective traffic) |
| Mitigation | Can block or limit traffic from a single source | Requires distributed countermeasures | Harder to block due to use of legitimate servers for reflection |
Summary of Example Attacks:
- DOS Example: A user sends an overwhelming number of pings (ICMP requests) to a server, using all its bandwidth and preventing it from responding to legitimate requests.
- DDoS Example: A botnet consisting of thousands of infected IoT devices sends millions of HTTP requests to a website, causing the server to crash due to resource exhaustion.
- DRDoS Example: The attacker sends a small DNS query to a DNS server with the target’s IP address, causing the server to reply with a large payload, flooding the victim’s network.
