What's the difference between a Dos attack and a DDoS attack?

DDoS is a method of Dos attack.

DOS: is the abbreviation for Denial of service, that is, denial of services, not DOS operating system, resulting in Dos attacks are called Dos attacks, the purpose is to make the computer or network can not provide normal service. The most common Dos attacks are computer network bandwidth attacks and connectivity attacks.

DDoS: Distributed denial of service (ddos:distributed denial of services) attacks, which multiply the power of denial-of-service attacks by combining multiple computers as an attack platform by using client/server technology to launch DDoS attacks against one or more targets.

To cite one of the most popular examples, the following image is the three handshake of TCP communication, if the attack side, after sending the first handshake data, and then "disappeared", then the server will continue to send the second handshake data, but the attacker can not find the end. As a result, the server's resources are consumed until it freezes. Of course, to fully understand the mechanism, you need to have a fairly deep understanding of TCP.

In fact, there are many ways to attack dos, such as the following common:

1. SYN FLOOD
Using the server's connection buffer (Backlog Queue), using a special program, set up the TCP header, to the server side repeatedly send only the SYN flag TCP connection request. When the server is received, it is considered to be a connection request that is not established, so a session is established for these requests and queued to the buffer queue.
If your SYN request exceeds the limit that the server can hold and the buffer queue is full, the server will no longer receive new requests. Connections to other legitimate users are denied. You can continue to send your SYN request until the buffer is your only SYN-flagged request.

2. IP Spoofing dos attack
This attack is implemented using the RST bit. Suppose now that a legitimate user (1.1.1.1) has established a normal connection with the server, the attacker constructs the TCP data for the attack, disguises its own IP of 1.1.1.1, and sends a TCP data segment with the RST bit to the server. After the server receives such data, it considers the connection sent from 1.1.1.1 to be an error, emptying the established connection in the buffer. At this point, if the legitimate user 1.1.1.1 again to send legitimate data, the server has no such connection, the user must start a new connection.
When attacking, a large number of IP addresses are forged to send RST data to the target so that the server does not serve legitimate users.

3. Bandwidth Dos attack
If your connection bandwidth is large enough and the server is not very large, you can send a request to consume the server's buffer to consume the server's bandwidth. This attack is the strength of the people, with the SYN implementation of a DOS, the power is huge. But it's a primary Dos attack.

4, self-consumed Dos attacks
This is an old-fashioned attack. Old-fashioned, because old-fashioned systems have such self-bugs. such as Win95 (Winsock v1), Cisco IOS v.10.x, and other outdated systems.
This Dos attack is to send the request client IP and port to host the same IP port, sent to the host. Enables the host to send itself TCP requests and connections. The vulnerability of this host will quickly consume the resource light. Directly leads to the machine. This disguise is still a huge threat to some identity authentication systems.

The most important method of implementing Dos attacks above is to construct the TCP data needed to make full use of the TCP protocol. These attack methods are built on the basis of TCP. There are other Dos attack methods.

5. Hard drive with full server
Typically, if a server can perform write operations without restrictions, it can be a way to plug a hard disk into a Dos attack, such as:
Send spam messages. Servers in a general company may put mail servers and Web servers together. The attackers can send a large amount of spam, which may be stuck in a message queue or in a bad mail queue until the mailbox is broken or the hard disk is stuffed full.
Make the log full. Intruders can construct a large number of error messages sent out, the server records these errors, may cause the log file is very large, and even fill the hard disk. At the same time, the administrator will be painfully faced with a large number of logs, and even can not find the intruder's true intrusion path.
Plug the Junk file to anonymous FTP. This can also fill the hard disk space.

What's the difference between a Dos attack and a DDoS attack?