Before diving into DDoS, let's actually define it. What is those? What is DDoS? And what is this again, this definition is going to be important, especially if you are working for a company which provides security services to its clients. In that case, one client might come and say, you know, they're under attack, but is this actually a DDoS attack, you will have to actually define all the attack vectors carefully while making an agreement with the client. So in such a scenario, especially knowing what DDoS is, and the difference between the DDoS and those will be actually crucial.
So what is those? I took this definition from Wikipedia, as you can see, so we are going to actually focus on the important aspects and important key words in this definition. Let me just quickly read it for you. In competing, a denial of service attack is a cyber attack in which the perpetrator seeks to make machine or network resource unavailable. So here it is, like one of the first key points availability. In other words, if the attacker is making the source unavailable for the host, then this is actually defined as DOS, let's move on to its intended users by temporal or indifferent disrupting service.
So here, as you can see, second most important factor disrupting services, either temporarily or indefinitely, of a host connected to the internet. Basically, this is what those is per definition. And when we move to DDoS, in a distributed denial of service attack, the incoming traffic flooding to victim originates from many different sources here. As you can see, the main difference is actually that it's coming from multiple sources and the volume is much higher. So in other words, it's not like it's coming from one single IP, or one single user agent, but rather coming from different sources. And this is like the main difference between the dose and dose if your agreement with the client that you will Like to protect against DDoS attacks includes only unsalted, DDoS done while detecting this traffic, you need to be aware that you must check whether this is coming from one single source or multiple sources.
And based on that, you can say that yes, this is your responsibility to protect clients environment. Or you might say no, this is not your responsibility. This is not a DDoS attack. So in such scenarios, it's actually crucial to know the difference. In other words, it's relatively easy to distinguish DDoS and those, if it is from one single source, it is dose, if it's coming from multiple sources, that is DDoS. But actually, the real question is, the real challenge sometimes is how to distinguish a DoS attack and a simple scan.
What to do with because your contract include protecting against scanning activities. In most cases, it doesn't, it's not included. Therefore, for such scenarios, you must be prepared for identifying what you see. So what does The best way for that, checking the volume of the traffic is not the best idea, since what those scan are generated by a single source. So what to do to identify? Check the ports.
Let me show you quickly. Here we are just seeing a sample traffic. But when we actually check it more deeply, we can see that all the source packets in this traffic belongs to the same IP. In other words, it's coming from one single source. This is the first thing to check. The next thing to check is the destination ports.
Here. As you can see the destination ports are changing all the time. However, the destination IP is the same. So it also indicates that it's actually a scan going up. Not like the source is trying to disturb the destination services, but rather trying to check what's going on on the destination. As you can also see if one single source actually generating the traffic towards the destination, it can be either iOS or scan and how to define it is basically unit to check the destination ports, if all the traffic is going to some specific ports on which the host runs the services.
In other words, if that single source is trying to distort the services on that specific port of the destination, then it means that it denial of service attack is going on here. Not necessarily a DDoS attack, not a distributed one, since there's one single source again, but rather one single source IP is trying to generate all traffic in order to distort the sources of the destination. However, if in the traffic capture, you are seeing multiple destination ports, then it indicates that there is actually a scam going on here. So whether you should take action for a scan activity or not depends on basically your price. parties, as well as the agreement between yourself and your client. But as an experienced person on that, I can tell you that in most cases, there is no action taken for the scans unless there's really something suspected from the source IP.
Usually you don't have to even do that. So let's wrap up. A dos activity is generated by one single IP towards the same destination port. A DDoS activity is generated by multiple source IPS with the higher volume and destination is again specify ports of your services. However, a scan activity is nothing but the traffic generated by one single source and it's going towards all the posts of the destination IP