What is a DoS attack?
A Denial of Service (DoS) attack is a cyberattack where an attacker uses a single primary source to exhaust a target's resources (CPU, memory, connection slots, thread pools, or application capacity) and make it unavailable to legitimate users. When a DoS attack succeeds, websites go offline, applications become unresponsive, and business operations halt, costing organizations revenue, reputation, and customer trust.
The mechanics are straightforward: an attacker sends overwhelming requests designed to consume CPU cycles, memory, bandwidth, or connection slots on the target system. Once these resources are exhausted, the target cannot process legitimate traffic. Think of it like someone repeatedly calling a customer service line and never hanging up, preventing real customers from getting through.
DoS attacks are often grouped into three primary categories based on which layer they target:
Application crash/exploit DoS: These exploit software vulnerabilities to crash or destabilize a service (including memory corruption cases like buffer overflows, unhandled exceptions, or resource leaks), effectively denying service to everyone.
Flood attacks: These overwhelm resources by sending massive volumes of seemingly legitimate requests. SYN floods exploit the TCP handshake process by initiating thousands of connections without completing them, filling up the connection state table. ICMP floods bombard the target with ping requests until it cannot respond to anything else.
Early DoS attacks targeted individual servers and were relatively easy to trace back to a single IP address. Once defenders identified the source, they could block it with a simple firewall rule. This limitation remains the defining characteristic of DoS attacks: because traffic originates from one location, the attack is constrained by the attacker's own bandwidth and can be mitigated with basic IP blocking.
Watch 5-minute demo
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
Watch now
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a coordinated assault where multiple compromised systems, collectively called a botnet, simultaneously flood a target with traffic. This makes the attack far more powerful and difficult to stop than a single-source DoS attack. DDoS attacks can take down even well-resourced targets because defenders cannot simply block one IP address. Traffic appears to come from thousands of legitimate sources across the globe.
Botnets form the backbone of DDoS attacks. Attackers compromise devices like IoT cameras, servers, cloud workloads, and personal computers by exploiting vulnerabilities or using stolen credentials. They install malware that sits quietly, awaiting commands from a central command-and-control (C2) server. When the attacker activates the botnet, all devices attack the target simultaneously.
Attackers obtain botnets in two primary ways:
Building their own: By scanning the internet for vulnerable devices and exploiting them at scale, attackers can assemble botnets containing hundreds of thousands of compromised systems.
Renting access: DDoS-for-hire services, sometimes called booter or stresser services, allow anyone with a credit card to rent botnet capacity. This dramatically lowers the barrier to launching attacks, even as law enforcement has seized more than 75 domains tied to such services in recent years.
Modern DDoS attacks generate massive traffic volumes through amplification techniques. In a DNS amplification attack, the attacker sends small requests to DNS servers with the target's spoofed IP address. The DNS servers respond with much larger replies, all directed at the victim. According to CISA's guidance on denial-of-service attacks, amplification can multiply attack traffic by factors of 50x or more using protocols like DNS, NTP, or memcached.
The distributed nature creates the core defensive challenge. Traffic originates from legitimate IP addresses worldwide, making it nearly impossible to distinguish attack traffic from real users without behavioral analysis.
What is the difference between DoS and DDoS?
Both attack types aim to disrupt availability, but the operational complexity and defensive requirements differ significantly. Understanding these differences helps you choose the right protections.
| Factor | DoS Attack | DDoS Attack |
|---|---|---|
| Source | Single system | Multiple systems (botnet) |
Traffic volume | Limited by single attacker's bandwidth | Aggregated from hundreds or thousands of sources |
Traceability | Easier to identify and block origin | Difficult; traffic comes from legitimate-looking IPs |
| Mitigation complexity | Simpler; block single IP or rate-limit | Complex; requires traffic scrubbing, behavioral analysis |
| Attack sophistication | Lower barrier to execute | Requires botnet infrastructure or rental |
| Cost to attacker | Minimal | Higher (but DDoS-for-hire services reduce this) |
The threat landscape has evolved accordingly. As basic DoS attacks became easier to block, attackers shifted to distributed methods. NETSCOUT recorded over 8 million DDoS attacks in the first half of 2025 alone. Single-source attacks still occur, but they typically target smaller organizations or serve as probes before larger campaigns.
How to prevent and mitigate DoS and DDoS attacks
No single control stops all attack types. Effective defense combines network protections, application-layer controls, and runtime monitoring. Each layer catches threats that slip past the others.
Reduce your attack surface
The fewer services exposed to the internet, the fewer targets attackers can hit. Understanding your attack surface is the first step to reducing it. Start by inventorying everything that is publicly accessible and ask whether it needs to be. Internal dashboards, management interfaces, and development environments should never be internet-facing.
In cloud environments, place internal services behind private subnets. Use VPCs to create network boundaries and security groups to control which traffic can reach each resource. A database server has no business accepting connections from the public internet, even if you think your application is the only thing connecting to it.
Regularly audit which resources are internet-facing. Cloud environments change constantly as teams deploy new services. What was private last month might be exposed today due to a misconfiguration. Exposure management is not a one-time project but an ongoing discipline.
Implement rate limiting and traffic filtering
Rate limiting at load balancers, API gateways, and web application firewalls (WAFs) throttles requests per IP, per identity/token, or per session. This prevents any single source from consuming excessive resources. If one IP address sends 10,000 requests per second while normal users send 10, rate limiting catches the anomaly.
Geo-blocking and IP reputation filtering add additional layers. If your business operates only in North America, blocking traffic from regions where you have no customers reduces your exposure. Threat intelligence feeds identify known malicious IP addresses, command-and-control servers, and botnet infrastructure so you can block them proactively.
These controls have limitations. Rate limiting works well against single-source attacks but struggles against distributed attacks where many sources each send low volumes of traffic. When 50,000 IP addresses each send 10 requests per second, none of them individually triggers rate limits, but together they overwhelm your service.
Use DDoS protection services
Cloud providers offer built-in DDoS protection services. AWS Shield and Azure DDoS Protection provide DDoS mitigation at the provider edge for L3/L4 attacks, while Google Cloud Armor adds edge protection and WAF capabilities for HTTP(S) traffic on supported Google Cloud load balancers. These services absorb volumetric attacks before traffic reaches your infrastructure, using the provider's massive network capacity to handle floods that would overwhelm any single customer.
Third-party scrubbing services offer additional protection. When an attack is detected, traffic is rerouted through scrubbing centers that filter malicious requests before forwarding legitimate traffic to your origin servers. This happens transparently to your users, though it adds some latency.
These services add cost, and the scrubbing process introduces latency. For most organizations, the trade-off is worthwhile because the alternative is going offline during an attack. Evaluate your risk tolerance and choose protection levels accordingly.
Monitor for anomalies at runtime
Network-layer defenses catch volumetric floods, but application-layer attacks slip through by mimicking legitimate traffic. NETSCOUT reported these attacks increased 43% year over year. Detecting them requires understanding what normal looks like for your workloads and identifying deviations.
Watch for unexpected CPU spikes, memory exhaustion, abnormal request patterns, or unusual outbound traffic. A Slowloris attack, for example, opens many connections and sends partial HTTP requests very slowly, tying up server threads without generating the traffic volume that would trigger network-layer alerts.
Prioritize anomalies that combine public exposure + sensitive data access + elevated privileges, since those combinations turn noisy availability spikes into potential breach indicators. A CPU spike on an internal batch processing server differs significantly from a CPU spike on an internet-facing API server with database credentials.
In ephemeral cloud environments where containers and instances come and go constantly, runtime visibility requires threat detection tools that automatically discover and monitor new workloads. Manual agent deployment cannot keep pace with modern deployment frequencies. You need monitoring that adapts as your environment changes.
Detect and investigate compromised workloads
Your infrastructure can be the source of attacks, not just the target. Attackers compromise cloud workloads and recruit them into botnets to attack others. Preventing this requires detecting when your resources are communicating with command-and-control infrastructure or exhibiting botnet behavior.
Watch for workloads communicating with known C2 servers, unusual outbound traffic patterns, or unexpected processes running on instances. A container that suddenly starts making thousands of outbound connections to random IP addresses on UDP port 53 might be participating in a DNS amplification attack against someone else.
This connects to the shared responsibility model. Cloud providers protect infrastructure from attacks targeting their networks, but customers must protect their workloads from being compromised and weaponized. If your EC2 instance becomes part of a botnet, that is your responsibility to detect and remediate.
Wiz's approach to DoS and DDoS detection in cloud environments
In cloud environments, availability threats extend beyond network floods. An attacker with compromised credentials can spin up expensive resources (Economic Denial of Sustainability), delete production databases, or modify security groups to expose internal services. None of these require flooding your network with traffic.
Wiz complements WAFs, CDNs, and cloud-native DDoS protection by providing workload-level visibility that network tools can't achieve:
Workload-level impact detection: Wiz Defend, powered by Wiz Sensor, detects the impact of DoS attacks on workloads, such as resource exhaustion and connectivity loss, through high-severity System Health Issues. Custom runtime rules can detect specific attack payloads, like rapid process creation, before they cause full system collapse. The Detection Engine uses thousands of Threat Detection Rules and behavioral baselines to identify anomalous activity, with all events logged for auditing.
Proactive attack surface reduction: Wiz Attack Surface Management identifies and validates exploitable misconfigurations, weak credentials, and vulnerabilities in internet-facing assets. This helps eliminate potential entry points or amplification vectors that attackers could use for DDoS attacks.
Wiz doesn't replace network-level DDoS mitigation. It adds the workload and configuration context that network tools miss. Sometimes understanding what's happening on the workload matters more than analyzing the traffic hitting it.
Get a demo to see how Wiz helps detect and respond to availability threats in your cloud environment.