DoS vs. DDoS attacks: What’s the difference?

Tips & tricks
9 mins
Laptop with crosshairs.

Gaming related DDoS attacks have seen a sharp increase in recent years. Interestingly, it isn’t just gamers—DDoS attacks are affecting everyone. Unsurprisingly, this has been linked to Covid related lockdowns which have provided malicious actors with more opportunities to prey on targets.

While often referred to in the media as hacking, a denial-of-service attack (DoS) is an attempt to make a service unusable. Denial of Service attacks are very easy for anybody to execute and, as such, are relatively common.

However, professional services have emerged that make it easy to defend against DoS Attacks, or make the attack less effective.

Difference between DoS and DDoS attacks

In the simplest terms:

  • A DoS attack is when a website or web service is flooded with automated requests from a single user, disrupting services and deterring legitimate visitors from entry. This attack overwhelms the network with so many false requests that it becomes temporarily unusable.
  • A DDoS, or distributed denial-of-service, attack is a DoS attack on a large scale utilizing several users and/or bots.
Denial of ServiceDistributed Denial of Service
Attack comes from one computerAttack comes from a multi-device botnet
Can block by using a firewallCan’t block with only a firewall
Easy to traceDifficult to trace
No malware involvementUses devices infected by malware


Metaphorically speaking, this would be akin to deliberately causing a traffic jam.

The easiest form of a DoS attack is one that simply requests content from a site (i.e., a web page, a file, or a search request). This request will consume resources for both the person making it and the person(s) being attacked. In theory, if you have more resources than the service you are attacking, you could take the service down for the duration of the attack.

Some operations might be very resource intensive on the targeted service, but require little to no resources on the side of the attacker. If a service is unprepared, it becomes an easy target.

Most services, however, will limit the amount of resources spent on each visitor, preventing a single user from using up all its resources. The service might also block a user completely if their activity is deemed suspicious. In other cases, a service might prompt for a captcha, slowingdown automated attacks.

Defending against a DDos attack is more difficult. Instead of a single user with a single machine flooding a service with requests, there are thousands or even millions of machines (called botnets).

Botnets are a group of compromised devices that are connected to the internet, such as desktop computers, routers, or even security cameras. They are remotely controlled by a group of attackers, who often rent them out on an hourly basis for the sole purpose of DDoS Attacks.

Common types of DoS and DDoS attacks

Ping of death

Also known as an Internet Control Message Protocol (ICMP) flood attack, a ping of death attack uses misconfigured network devices to send spoof packets to every computer on a targeted network. Because the spoof packets are not properly formatted, they will cause computers to crash after they receive it.

UDP flood

User Datagram Protocol (UDP) packets are like carrier pigeons. Normally, each pigeon carries a message addressed to someone in the neighborhood (or some port in the computer). However, in a UDP flood attack, the attacker sends a swarm of carrier pigeons (spoofed UDP packets) with messages to recipients who don’t exist. While attempting to handle the flood of spoofed packets, the target computer uses up all its resources shutting down packets from legitimate users.

Ping flood

Similar to a UDP flood, a ping flood involves an attacker flooding a target computer with ICMP packets. The goal is to send ping packets as quickly as possible without waiting for a response. This then renders the target computer unreachable via brute force.

SYN flood

This involves attackers sending SYN requests to a targeted computer, which then replies with a SYN-ACK response. At this point, the computer expects an ACK response. However, in a SYN attack, no response is sent at all. The increasing pile of SYN messages ties up the resources on the computer, making it impossible for legitimate devices to establish a connection.


Named after the animal, slowloris is a hacking tool that sends incomplete HTTP requests to computers with no intention of actually completing them. The targeted computers will then keep connections open, thereby denying any legitimate incoming connection attempts.

HTTP flood

This is a high-volume attack that utilizes a flood of illegitimate HTTP requests webpage resources and POST requests sending web forms. Once again, the sheer number of these requests overloads the computer or web applications, making it inoperable. This is generally achieved by using internet connected devices which have been hijacked with the aid of malware or bots.

Zero-day attack

A zero-day attack occurs when hackers or malicious actors are able to exploit a critical security flaw before it can be rectified by a software developer. In other words, attackers seek to take advantage of vulnerabilities that have not been discovered yet.

Teardrop attack

As the name suggests, a teardrop attack works by gradually sending data fragments to a target network. Once sent, an attempt is made to recompile the data fragments into their original state. If successful, the target system is overwhelmed by the recompiling process and eventually crashes.

How to prevent DoS and DDoS attacks

Create a protection plan

Creating a comprehensive top-down protection plan to address all attack vectors is the first line of defense against DoS and DDoS attacks. This should cover timelines and responsibilities to constantly monitor your network and site logs to identify any issues to help improve security.

Keep your site updated

Ensuring that your site’s software is updated is imperative for staying one step ahead of any emerging threats. Failing to regularly update can leave you vulnerable to malware, software bugs, zero-day attacks, or data theft.

Stronger user authentication

If you run a business, require that your staff adhere to a strong authentication process. At the very least, implement a multi-factor authentication process that requires users to provide extra credentials in addition to their username and password in order to access company accounts and services. This extra credential could include authentication apps or biometric data.

Simulate DoS attacks

You know what they say: Practice makes perfect! Running simulations can be a great way to train your staff how to recognise all the signs of a DoS as they happen, and further safeguard your systems from external threats.

Why do DoS and DDoS attacks occur?


DoS or DDoS ransom attacks involve inundating a target’s system or website with requests to render them inaccessible. Once compromised, an attacker will demand a ransom to lift the attack. There is, however, no guarantee that everything will go back to normal once a ransom is paid.


A current, or former, employee may be harboring a grudge against you and has undertaken a DoS/DDoS attack to exact revenge.


Competitors in your market may resort to unethical tactics in an attempt to steer potential consumers away from your business—and this might mean making your website or service inaccessible via a DoS/DDoS attack.


A portmanteau of hack and activism, hacktivism is the use of technology as a form of protest. In this context, attackers may disagree with you for corporate or political reasons. Hacktivism is usually directed towards governments or large corporations.

Read more: Is this attack a hack… or hacktivism?


DoS/DDoS attacks are easy to execute and can sometimes be performed purely for the amusement of the attackers.

Nation state funded DDoS attacks

When carried out by well-funded actors, such as Nation states, DDoS attacks become almost impossible to defend against due to the scope of the attack. DDoS Attacks pose a serious threat to the freedom of speech online, as they are done in extrajudicial secrecy and without accountability.

For example, China has in the past repurposed its Great Firewall to initiate DDoS attacks against Github for hosting mirrors of newspaper articles. British spy agency GCHQ is also reported to have used DDoS attacks as retaliation against hacker groups Anonymous and LulzSec. These high-level types of attacks are referred to as “Advanced Persistent DoS Attacks.”

DDoS Attacks can be executed for a variety of reasons. Sometimes their goal is purely political, or an act of vengeance against a previous attack. Attacks can also be carried out for business reasons, for example, to “convince” the customers of a competitor to switch products.

A large and efficient DDoS attack can be expensive, so damage is often limited to just a few hours or days of outage, as the perpetrator cannot afford to sustain it any longer. Still, for a business, even this short time can have serious commercial implications.

Many attackers will use a DDoS Attack for the purpose of extortion. Initially, a small attack is launched against a target, followed by a request for ransom. If the target does not pay, a larger DDoS Attack usually follows, sometimes followed by another ransom request.

Paying the ransom, in this case, is not wise. Other attacks will soon follow (as everyone knows it will pay out). There are many potential attackers out there, so the promise of one group to “not attack” again is meaningless. Investing the capital in DDoS protection is much wiser.

Denial of Service attacks against end-users

DoS Attacks can also be launched against those who do not operate a web service. For example, your email inbox can be the target of what is called an e-mail bomb. During an E-mail bomb attack, a user will receive a large number of e-mails, some with massive attachments, others designed to trigger alerts on the user’s system. If the system, particularly the spam filter, is poorly configured, this can crash the email server or the client (e.g., Outlook) that the user uses to read the email. For the duration of the attack (and possibly longer), the e-mail service will be disrupted. It’s possible that all emails received during the attack are lost, or will take a long time to filter through to the user.

But DDoS Attacks don’t just hit computers—they can make phones unusable, too. A clever method to achieve this involves a fake online ad taken out in the name of the victim, for example for an absurdly cheap car in a big city. The resulting flood of emails and phone calls can be of great inconvenience to the victim. And as they are all non-automated messages from real people, they are very hard to defend against or block.

In extreme situations, getting a new email address or phone number can be the best choice for the victim. A well configured and popular email provider, such as Google or Apple, will go a long way in defending against attacks, however.

Read more: What is ransomware, and how to prevent it?

FAQ: Dos and DDoS attacks

Can you accidentally DDoS someone?
Is it illegal to DDoS attack a website?
How do DDoS and DrDoS attacks differ?
Hi, you've reached Marcus. Dial '1' for privacy, '2' for point and click adventure games, and '3' for paranormal stories. For all other enquiries, please stay on the line and he'll be with you shortly.