Cyber Attacks Explained – Denial of Service

How attackers bring global systems to a standstill

Introduction

In today’s digital world, businesses, governments, and individuals all depend heavily on online services. Whether it’s accessing a website, buying something online, streaming a film, or using a cloud application, we expect these services to be available whenever we need them.

But all that comes grinding to a halt when a service suddenly becomes unavailable?

One of the most common ways cybercriminals disrupt online services is through a Denial of Service (DoS) attack. These attacks are designed to overwhelm systems, consume resources, and prevent legitimate users from accessing the services they need.

While DoS attacks may seem simple compared to sophisticated malware or ransomware campaigns, they can have significant financial, operational, and reputational consequences.

What is a Denial of Service attack?

A Denial of Service attack is a cyber attack that aims to make a computer system, website, network, or online service unavailable to its legitimate users – they are the ones who are denied the service.

Rather than stealing information or gaining unauthorised access, the attacker’s goal is to disrupt normal operations.

This can be achieved by overwhelming systems with data, requests for data, or forcing the system to run resource-intensive operations.

Understanding availability in cyber security

Cyber security is built around three fundamental principles known as the CIA Triad:

  • Confidentiality – Ensures information is only accessible to authorised users
  • Integrity – Ensures information remains accurate and unaltered
  • Availability – Ensures systems and data are accessible when needed.

Denial of Service attacks specifically target availability.

Their purpose is to prevent users the availability of accessing services, applications, or information.

How does a DoS attack work?

Every computer system has a set of finite resources, these include

  • Network bandwidth
  • CPU processing power
  • Memory (RAM)
  • Disk space
  • Database connections
  • Application threads

When legitimate users access a service, these resources are consumed in manageable amounts. Each users request is allocated a small amount of those resources, and when the request has been fulfilled, those resources are freed up for other users.

A DoS attack attempts to exhaust these resources.

By way of an analogy – Imagine a restaurant that can comfortably serve 100 customers. On a regular day customers come and go, and as soon as a table is vacated, it is cleaned, reset and made ready for the next customer. At busy times, some customers may have to wait a short while before being served.

However, If 10,000 people suddenly arrive all at the same time, the staff will not be able to cope at all – their resources are depleted – as such, legitimate customers experience unacceptable delays or may be unable to enter at all.

The same principle applies to computer systems.

Imagine a website that can handle 5,000 requests per minute

Under normal conditions the site handles between 2,000 and 3,000 requests per minute, there is enough head-room to satisfy bursts of requests quite easily – Everything works normally.

When an attacker launches a DoS attack, these requests may increase to 10,000 requests per minute for a sustained duration – The website now receives far more traffic than it can process.

As the available resources become consumed in an attempt to satisfy all the requests:

  • Pages load slowly
  • Users experience timeouts
  • Services become unavailable
  • The website may crash entirely

Types of denial of service attacks

DoS attacks come in several forms. Understanding the different categories helps explain how attackers exploit various weaknesses.

Volumetric attacks

Volumetric attacks attempt to consume all available network bandwidth. In this type of attack, the attacker floods the target with enormous amounts of traffic.

The objective is simple:

Saturate the network connection so legitimate traffic cannot get through.

Examples of volumetric attacks include:

  • UDP floods
  • ICMP floods
  • Amplification attacks

Protocol attacks

Protocol attacks target weaknesses in network protocols. Instead of simply sending massive amounts of traffic, attackers exploit how systems manage connections and communications.

Examples of protocol attacks include:

  • SYN floods
  • Ping of Death
  • Smurf attacks

These attacks consume resources on systems such as firewalls, load balancers, and servers.

Here, the volume of traffic may be relatively small, but the impact can still be significant.

Application layer attacks

Application layer attacks target specific services and applications.

Examples include attacking:

  • Websites
  • Application Programming Interfaces (APIs)
  • Login pages
  • Search functions
  • Databases

Rather than overwhelming the network itself, attackers overwhelm the application.

For example:

A website search function may require complex database queries. If an attacker repeatedly submits expensive search requests, the server may become overloaded.

These attacks can be difficult to detect because they often resemble legitimate user behaviour.

Distributed Denial of Service (DDoS) attacks

A doS attack typically originates from a single source, so stopping such an atatck can be a simple as blocking that source from connecting to your systems. However, most modern DoS attacks are actually Distributed Denial of Service (DDoS) attacks.

These work in a similar way to a DoS attack but uses multiple systems simultaneously.

So instead of one attacker sending traffic, a DDoS attack may involve: thousands, maybe even hundreds of thousands of devices

Because the traffic originates from many different sources, it makes the attack much harder to block.

Understanding botnets

Many DDoS attacks rely on a botnet – a network of compromised devices controlled by an attacker.

These devices may include:

  • Computers
  • Servers
  • Smartphones
  • Security cameras
  • Smart TVs
  • Routers
  • IoT devices

The device owners are often unaware their systems have been compromised, as in many cases, each individual device only needs to transmit a small amount of data to a victim, so the device owner doesn’t see or feel any affect of their device becoming slow, but the victim is on the receiving end of tens of thousands of requests from all over the world.

When instructed by the attacker, every device begins sending traffic to the target simultaneously.

Even modest devices such as an IoT webcam can generate enormous attack volumes when combined with other devices in the botnet

The Mirai botnet

One of the most famous DDoS attacks involved the Mirai botnet.

Mirai infected thousands of internet-connected devices, particularly IoT devices that used default passwords. These compromised devices were then used to launch massive DDoS attacks against online services.

The incident demonstrated how insecure devices can be weaponised on a global scale.

It also highlighted the growing security risks associated with connected technologies.

Related articles: Blog post 49a, Blog post 51, Blog post 155, Blog post 176, NCA DDoS worlds biggest DDoS site for hire

Common Symptoms of a DoS Attack

Organisations experiencing a DoS attack may observe:

  • Slow website performance
  • Intermittent service outages
  • Network congestion
  • Connection timeouts
  • Unexpected spikes in traffic
  • Increased CPU or memory usage
  • Failed transactions
  • User complaints about availability

These symptoms may also occur during legitimate traffic surges, which can make detection challenging.

Why do attackers launch DoS attacks?

Attackers have various motivations.

Financial gain

Some attackers demand payment to stop an attack. This is sometimes referred to as DDoS extortion.

In some Ransomware attacks, attackers will DDoS the victim to add pressure to pay the ransom demand and to stop them from recovering their systems

Political or ideological motivations

Hacktivist groups may target organisations to promote political, social, or ideological causes.

Competitive aabotage

Businesses may be targeted by malicious competitors seeking to disrupt operations.

Distraction

Attackers sometimes use a DoS attack to distract security teams while conducting other malicious activities.

For example:

  • Data theft
  • Malware deployment
  • Account compromise

Revenge or personal grievances

Disgruntled individuals may attempt to disrupt services as retaliation against an organisation.

Real-world consequences

The impact of a successful DoS attack can be significant.

Financial losses

Organisations may lose revenue when customers cannot access services.

For e-commerce businesses, even a short outage can result in substantial losses.

Reputational damage

Customers expect reliable services.

Repeated outages can damage trust and brand reputation.

Operational disruption

Internal systems may become inaccessible, affecting employee productivity and business operations.

Incident response costs

Organisations often incur costs related to:

  • Investigation
  • Mitigation
  • Recovery
  • Infrastructure upgrades

How organisations defend against DoS attacks

Defending against DoS attacks requires multiple layers of protection.

Traffic filtering

Firewalls and security appliances can identify and block suspicious traffic.

Rate limiting

Rate limiting restricts how many requests a user or device can make within a specific timeframe.

This prevents abuse of applications and APIs.

Load balancing

Load balancers distribute traffic across multiple servers.

This helps prevent individual systems from becoming overwhelmed.

Content Delivery Networks (CDNs)

CDNs distribute content across geographically dispersed servers.

By spreading traffic across multiple locations, CDNs can absorb large traffic spikes.

DDoS protection services

Specialised DDoS mitigation providers maintain infrastructure designed to absorb and filter attack traffic before it reaches the target.

Monitoring and detection

Continuous monitoring helps organisations identify unusual traffic patterns early and respond before services become unavailable.

The future of DoS attacks

As internet-connected devices continue to grow in number, attackers gain access to larger pools of systems that can potentially be exploited.

At the same time, organisations are becoming increasingly dependent on cloud services, APIs, and online platforms.

This means that availability remains a critical security concern.

Modern attacks are also becoming more sophisticated, often combining:

  • Volumetric attacks
  • Application attacks
  • Automated bot activity
  • Evasion techniques

As a result, defending against DoS attacks requires ongoing investment in security monitoring, infrastructure resilience, and incident response capabilities.

Conclusion

A Denial of Service attack is a cyber attack designed to make systems, websites, or services unavailable to legitimate users. By overwhelming resources such as bandwidth, processing power, memory, or application capacity, attackers can disrupt operations and cause significant business impact.

While the concept behind a DoS attack is relatively simple, modern Distributed Denial of Service attacks can involve thousands of compromised devices generating enormous amounts of traffic. These attacks can lead to financial losses, reputational damage, and operational disruption.

Understanding how DoS attacks work is an important step in understanding the broader cyber security landscape. As organisations continue to rely on online services, protecting availability remains just as important as protecting data confidentiality and integrity.