In a TOS (Type of Service) Flood, attackers use the ‘TOS’ field of an IP header. This field has evolved over time and is now used for Explicit Congestion Notification (ECN) and Differentiated Services (DiffServ). While this type of flood isn’t seen too often, there are two types of attacks which may be launched based on this field. In the first, the attacker spoofs ECN packets in order to reduce the throughput of individual connections. This could cause the server to appear out of service or unresponsive to customers. In the second, the attacker utilizes the DiffServ class flags in order to potentially increase the priority of the attack traffic over that of non-attack traffic. Utilizing DiffServ flags isn’t a DDoS attack in itself; this function is aimed at increasing the effectiveness of the attack.
