Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) are often used interchangeably, but they describe fundamentally different threat models — and require different defenses.
DoS: Single Source
A DoS attack originates from one machine or IP. It can be devastating against an unprotected server, but it has a straightforward mitigation: block the source IP. Rate-limiting a single IP address is trivial at any modern firewall.
DDoS: Distributed Sources
A DDoS attack involves thousands or millions of source IPs — compromised devices across the globe. Blocking individual IPs is futile; by the time you block 10,000, 10,000 more have joined. The mitigation must happen at the network level before traffic reaches your infrastructure.
- Botnet-driven DDoS: sources are compromised devices owned by innocent users.
- Reflection DDoS: traffic appears to come from legitimate servers (DNS, NTP, Memcached).
- Amplification DDoS: traffic volume is massively out of proportion to attacker bandwidth.
Why the Distinction Matters
Server-level defenses (fail2ban, iptables, nginx rate-limits) can handle DoS but will not survive a real DDoS. At 100Gbps inbound, your firewall rules run on hardware that's already saturated. Effective DDoS defense requires absorbing or dropping traffic upstream of your infrastructure — exactly what a reverse-proxy scrubbing layer provides.