For beginners, distinguishing terms such as DoS, DDoS or DRDoS can be problematic. Contrary to appearances, these are not unambiguous topics, and the nomenclature used on the Internet can be misleading. Therefore, this article has been written, in which we try to explain these terms using familiar examples.
DoS, or Denial of Service, is an attack that leads to preventing the operation of a particular system or server. There are different types of DoS attacks. When we read about it, the author will most often have in mind an attack that involves continuously sending certain types of packets to the victim's IP address. This is a simple and unsophisticated way, since it is easy to block traffic by blocking the attacker's IP. Another problem with this attack is its cost-effectiveness - for the attack to work, you need to have more Internet bandwidth than the victim.
As traditional DoS attacks have been made more difficult over time, attackers have come up with the idea of a DDoS attack, or Distributed Denial of Service. It involves attacking a server from multiple computers simultaneously. Often, it turned out that the attacking computers did this unknowingly and it was due to a previous infection of the system.
Summary: DDoS involves preventing access to a server or denying service to users for a specified period of time with requests coming from multiple sources, as opposed to DoS, which usually means a single source of attack.
Over time, DDoS attacks have undergone meticulous filtering, and access to multiple computers simultaneously has become difficult. So various attack methods were invented to solve these problems.
The varieties of DDoS attacks are hundreds if not thousands. You can check out some of the available DDoS attack methods in the MHDDoS repository. To illustrate each of the attack varieties one by one, you would have to spend several books on them. Therefore, in our article we will look at only some of them.
DRDOS involves sending fake requests imitating the target (the victim) to thousands of computers and making the responses hit the victim's machine. IP address spoofing (impersonation) is used for this. The source address is set to that of the target victim. We mentioned a similar method in article on SYN flood attack.
Another interesting case is the hit-and-run DoS attack. It involves cyclically attacking the victim under a sizable attack. Attacks of this type can last up to several days.
The Slowloris attack can be used as another example. It involves keeping as many open connections as possible with the attacked server for as long as possible. More specifically, the slowloris attack involves sending an HTTP request and then (every so often) sending headers to keep the connections open. The connections are never closed, which ultimately results in the server's thread pool being exhausted and the server rejecting requests from actual clients.
The last example discussed is the Ping of Death attack. The most commonly transmitted ping packets are 56 bytes or 64 bytes in size. Each IPv4 packet can be up to 65,535 bytes in size. Some of the systems were not designed correctly and did not provide for handling ping packets larger than the size of 65,535 bytes. When we transmit packets, the data link layer most often imposes restrictions in the form of the maximum size of received packets. By this, if the destination packet is larger than the maximum size, it is split into smaller parts, and the receiving host, after receiving all the parts, assembles them into a complete packet.
In a Ping of Death attack, we repeatedly send packets larger than 65,535 bytes to the server, which are then assembled into a complete packet on the host which can lead to a buffer overflow. A well executed attack can lead to RCE (Remote Code Execution).