by The Computing Australia Group | Explaining Denial-of-Service
(DoS) Attacks
Cyberattacks aren’t always about stealing data. Sometimes, the goal is much simpler and just as damaging: take you offline.
That’s exactly what a Denial-of-Service (DoS) attack does. By overwhelming your systems or exploiting weaknesses in your applications, attackers can make your website, apps, email, VPN or other online services unavailable to genuine users-right when you need them most.
Since 2020, the surge in remote work, cloud adoption and online services has made availability a critical part of cyber security. National cyber agencies now specifically warn that even short periods of downtime can have serious consequences for small and medium businesses.
- What DoS and distributed DoS (DDoS) attacks are
- How they work and the main types you should know
- The real impact on your organisation
- Practical, layered steps to prevent, detect and respond
- A quick readiness checklist for small and medium businesses
1. What Is a Denial-of-Service (DoS) Attack?
A Denial-of-Service attack is a cyberattack that disrupts the normal operation of a system, website, application or network so that legitimate users can’t access it.
Instead of breaking in to steal data, an attacker focuses on the “A” in the CIA triad-availability:
- Overloading servers or network links with more traffic than they can handle
- Consuming key system resources (CPU, memory, disk, database connections)
- Exploiting software bugs or misconfigurations that cause crashes or lock-ups
Because these attacks are carried out over the internet, they can originate from anywhere. That makes tracing and prosecuting offenders extremely difficult. They’re widely used by:
- Hacktivists (politically or socially motivated groups)
- Extortionists demanding payment to stop an attack
- Competitors or insiders engaging in sabotage
- Cybercriminals using DoS as a distraction while other attacks (like ransomware) are underway
Organisations of all sizes-from small ecommerce stores and professional services firms to large SaaS providers and government agencies-are targeted.
2. DoS vs DDoS: What’s the Difference?
You’ll often see two closely related terms:
DoS (Denial-of-Service)
- Traditionally launched from a single source (one compromised machine or server).
- Still disruptive, but easier to detect and block at the network level.
DDoS (Distributed Denial-of-Service)
- Uses multiple systems-sometimes thousands or millions of devices-to attack at once.
- Devices are typically part of a botnet (a network of compromised machines and IoT devices under an attacker’s control).
- Traffic comes from many IP addresses in different locations, which makes blocking much harder.
Modern attacks are overwhelmingly DDoS. Guidance from agencies like CISA classifies DDoS attacks into three broad technical categories: volumetric, protocol and application-layer attacks. Volumetric attacks try to consume bandwidth, protocol attacks exploit weaknesses in network protocols, and application-layer attacks focus on specific web applications or APIs.
For most businesses, the effect is the same: your services are slow, unstable or completely unavailable.
3. How Do DoS Attacks Work? (In Plain English)
Any online service is constrained by three core limits:
- Network capacity – how much traffic your internet connection can carry
- Concurrent connections – how many users or sessions your application can handle at once
- System resources – CPU, memory, disk I/O, database connections, etc.
A DoS or DDoS attack works by pushing one or more of these limits past breaking point.
The Handshake Example
When someone visits your website:
1. Their device sends a request to the server.
2. The server replies and tries to establish a connection (the “handshake”).
3. Once the handshake completes, normal browsing begins.
In a classic DoS scenario:
- A compromised device sends huge numbers of connection requests but doesn’t complete the handshake.
- The server reserves memory and resources for each “half-open” connection.
- Those connections sit there until they time out.
- During that time, the server can’t accept new legitimate connections.
Multiply that behaviour across tens of thousands of requests per second and your site effectively disappears from the internet-even though it’s technically still running.
Attackers can also:
- Spoof IP addresses so traffic appears to come from different locations.
- Abuse legitimate features (e.g. search or reporting) in abnormal volumes.
- Use third-party servers (like DNS or NTP) as “amplifiers” that turn small requests into massive responses aimed at your systems.
4. Flooding vs Crash Attacks
DoS and DDoS attacks broadly fall into two behavioural categories:
4.1 Flooding Attacks (Resource Exhaustion)
These are the most common. The attacker sends so much traffic or so many requests that your infrastructure simply cannot cope.
Examples include:
- ICMP (Ping) Floods
Attackers send a huge number of ICMP echo requests (“pings”), often with spoofed IP addresses. The target spends CPU and bandwidth processing and replying to pointless traffic.
- SYN Floods
- UDP/TCP Floods
Attackers bombard random or specific ports with UDP or TCP packets, forcing the system to repeatedly check for listening services and respond or drop packets.
- HTTP Floods (Layer 7)
Seemingly “normal” web requests-page loads, searches, logins, API calls-are sent in large volumes, often using scripts or bots to mimic real users. Because the traffic looks legitimate, it can bypass simple network filters.
4.2 Crash Attacks (Exploit-Based)
Crash-style DoS attacks don’t rely on huge traffic volumes. Instead, they send malformed or specially crafted data that exploits a bug or weakness to make a service fail.
For example:
- Inputs that cause an application to run out of memory or enter an endless loop
- Malformed network packets that trigger parsing errors or buffer overflows
- Requests that hit unhandled edge cases, causing crashes or service restarts
These attacks exploit specific vulnerabilities in software. Regular patching and secure coding practices go a long way towards reducing this risk.
5. Types of DoS Attacks by Target
5.1 Network-Targeted DoS (Bandwidth Consumption)
Also called volumetric attacks, these aim to saturate your internet connection or edge devices:
- Massive volumes of traffic hit your routers, firewalls or load balancers.
- Your bandwidth is maxed out, so legitimate traffic can’t get through.
- Even if servers are healthy, users effectively lose access.
These attacks are often mitigated before traffic reaches your network-by your ISP, cloud provider or a specialist DDoS protection service.
5.2 System-Targeted DoS (Infrastructure Resource Depletion)
Here, the attacker wants to exhaust internal server resources such as:
- CPU and memory
- Disk I/O
- Connection tables
- Database connection pools or file handles
This might involve:
- Repeatedly opening and abandoning partial connections
- Forcing the system to perform expensive operations at scale
- Triggering behaviour that consumes memory without freeing it
Depending on the system, outcomes range from sluggish performance and intermittent errors through to complete crashes and potential data corruption.
5.3 Application-Targeted DoS (Layer 7)
These attacks focus on your applications and business logic rather than raw bandwidth. They target:
- Login forms and password reset flows
- Search and reporting features
- Shopping carts, payment processing pages or booking engines
- APIs that perform heavy database operations
Because the traffic can look like normal user activity (just more of it, or more cleverly arranged), application-layer attacks can slip past simple rate limits or basic network filters. OWASP highlights these as a major threat category for modern web applications.
6. The Real Business Impact of DoS and DDoS Attacks
It’s easy to think “we’re too small to be a target”-but data from government and industry consistently shows that small organisations are heavily affected by cyber incidents, including availability attacks.
Typical impacts include:
- Lost revenue
- Online stores can’t accept orders.
- Booking systems can’t take appointments.
- Customers abandon carts and go to competitors.
- Reputational damage
- Users expect services to “just work”.
- Repeated downtime erodes trust and customer loyalty.
- Operational disruption
- Remote workers may lose VPN access.
- Internal tools (email, intranet, CRM) may be affected if your connectivity is hit.
- Contractual and compliance issues
- SLAs may be breached if you can’t meet uptime commitments.
- Regulated industries may have specific availability requirements.
- Hidden long-term costs
- Emergency incident response and consulting fees.
- Infrastructure changes and security upgrades after the fact.
- Increased premiums or scrutiny from insurers.
7. How to Recognise a DoS or DDoS Attack
Early detection is half the battle. Common warning signs include:
- Sudden traffic spikes
- Big jumps in traffic with no corresponding marketing campaigns or news mentions.
- Traffic originating from unusual countries or networks.
- Slowness and timeouts
- Pages taking much longer to load than usual.
- Intermittent 502/503/504 errors from your web server or reverse proxy.
- Service-specific symptoms
- VPN sessions frequently dropping or failing to connect.
- Email queues growing without obvious cause.
- APIs timing out even under expected load.
- Strange patterns in logs
- APIs timing out even under expected load.
- Odd or malformed packets hitting your firewall.
Distinguishing an attack from a legitimate traffic surge requires baseline monitoring: you need to know what “normal” looks like before you can identify “abnormal”.
8. Preventing and Mitigating DoS Attacks: A Layered Approach
There is no single product that makes you “DDoS-proof”. Effective defence is about layers of controls, from infrastructure design through to secure coding and operational processes. OWASP’s Denial-of-Service Cheat Sheet strongly emphasises this multi-layered strategy.
8.1 Start with Resilient Hosting and Architecture
- Choose a reputable hosting provider or cloud platform with native DDoS protection options or easy integration with specialist services.
- Use load balancers and auto-scaling where appropriate to handle traffic spikes more gracefully.
- Place public-facing applications behind a Content Delivery Network (CDN) and/or Web Application Firewall (WAF) that can absorb and filter malicious traffic.
8.2 Harden Your Network Perimeter
- Configure firewalls and routers to:
- Drop spoofed, malformed or obviously malicious traffic.
- Apply sensible rate limits to ICMP, SYN and other traffic types.
- Enforce ingress and egress filtering so your own systems can’t be abused in attacks on others.
- Segment your network so an attack on one service (e.g. public website) doesn’t automatically knock out everything else (e.g. internal apps, VoIP).
- Use separate infrastructure or at least separate virtual networks for DNS, email, web apps and VPNs where possible.
8.3 Build More Resilient Applications
Application-layer DoS needs to be addressed at the code and design level:
- Avoid making heavy operations (complex reports, bulk exports) publicly accessible without controls.
- Implement caching for repeatable data (e.g. product lists, blog pages) to reduce load on databases.
- Enforce rate limiting and throttling per IP, user, token or API key for:
- Login attempts
- Signup and password reset flows
- Search and reporting features
- Expensive API endpoints
- Implement robust input validation and error handling so malformed inputs don’t trigger crashes or excessive resource usage.
- Design for graceful degradation-e.g. temporarily disabling non-critical features under heavy load instead of letting the entire application fail.
OWASP resources provide detailed, developer-friendly guidance for mitigating DoS at the application level.
8.4 Keep Software and Firmware Up-to-Date
Many crash-style DoS attacks exploit known vulnerabilities in:
- Operating systems
- Web servers and reverse proxies
- Databases and message brokers
- Routers, firewalls and VPN appliances
- IoT and “smart” devices
Practical steps:
- Maintain a patch management schedule for servers, network equipment and key applications.
- Replace or isolate end-of-life systems that no longer receive security updates.
- Disable or remove unnecessary services and ports that increase your attack surface.
8.5 Monitor, Alert and Log Effectively
You can’t respond to what you can’t see.
- Use centralised logging across firewalls, load balancers, application servers and cloud infrastructure.
- Implement metrics and dashboards for:
- Requests per second
- Error rates
- Latency
- CPU, memory and network utilisation
- Configure alerts for unusual spikes or patterns:
- Sudden surges to specific endpoints
- Rapid growth in error responses
- Bandwidth or CPU pegged at or near 100%
8.6 Run Regular Tests and Drills
- Include DoS/DDoS scenarios in your incident response tabletop exercises.
- Work with service providers or specialist partners to perform controlled stress testing of critical applications.
- Review lessons learned and update your runbooks and infrastructure accordingly.
9. What to Do If You’re Under a DoS/DDoS Attack
When an attack is underway, minutes matter. Here’s a practical high-level playbook:
1. Confirm what’s happening
- Check monitoring dashboards and logs.
- Eliminate internal causes (e.g. new release, batch jobs, marketing campaign).
2. Activate your incident response plan
- Assign an incident lead.
- Start an incident log (timeline, decisions, actions).
- Bring in infrastructure, application and security stakeholders.
3. Engage your providers
- Contact your ISP, hosting provider or cloud support.
- Ask what they’re seeing at their edge and what DDoS mitigation options they can activate (traffic scrubbing, upstream rate-limiting, etc.).
- If you use third-party DDoS protection, trigger your agreed response procedures.
4. Tighten controls at your end
- Apply more aggressive firewall and WAF rules.
- Temporarily block high-risk regions or suspicious IP ranges.
- Turn off non-critical public features that consume a lot of resources.
5. Prioritise critical services
- Focus on keeping customer-facing and revenue-generating services online.
- Temporarily move less important systems offline if required to preserve capacity.
6. Consider “black hole routing” as a last resort
- Your ISP may offer to route all traffic to the targeted IP into a null route.
- This protects your wider network but makes the attacked service completely unreachable (good and bad traffic are dropped).
- Only use this if temporary full takedown of the service is acceptable while you regroup.
7. Communicate clearly
- Notify internal stakeholders promptly.
- Update customers via status pages, email or social channels with honest, non-technical messages and expectations.
8. Review and improve post-incident
- Analyse traffic patterns from the attack.
- Identify which controls worked and where you were blind or slow to respond.
- Update your architecture, playbooks and training accordingly.
10. Don’t Help Attackers: Securing Your Own Devices
Botnets used for DDoS attacks are often built from poorly secured servers, PCs, routers and IoT devices. If your environment isn’t properly secured, your systems could be:
- Used to attack others
- Blacklisted by other networks
- Consuming your bandwidth and computing power in the background
Reduce this risk by:
- Changing default passwords on all devices and using strong, unique credentials.
- Updating firmware on routers, firewalls, cameras, printers and other IoT/OT devices.
- Segmenting IoT devices away from critical systems.
- Monitoring outbound traffic for unusual volumes or destinations.
Securing your environment helps protect you-and prevents your business from unintentionally participating in attacks elsewhere.
11. DoS & DDoS Readiness Checklist for Small & Medium Businesses
Use this quick checklist as a starting point during planning or audits:
- Hosting provider includes or supports DDoS protection.
- DNS is hosted with a reputable provider (ideally with built-in DDoS resilience).
- Public-facing applications are behind a CDN and/or WAF.
- Firewalls and routers are configured to drop spoofed and malformed traffic.
- Network is segmented so a hit on one service doesn’t take out everything.
- Systems, firmware and applications are regularly patched.
- Application endpoints, especially login and search, have rate limiting in place.
- Centralised logging and monitoring exist across infrastructure and apps.
- Alerts are configured for suspicious spikes and resource exhaustion.
- There is a documented incident response plan that covers DoS/DDoS.
- Staff know who to contact and what to do during an outage.
12. Short FAQ: Denial-of-Service (DoS) Attacks
1. Is a DoS attack the same as my website crashing?
Not always. A DoS or DDoS attack can cause your site to crash or become unstable, but outages also happen because of:
- Software bugs
- Misconfigurations
- Hardware failures
- Genuine traffic surges
To confirm a DoS attack, you need to look at traffic patterns, logs and resource usage, not just the fact that the site is down.
2. How long do DDoS attacks usually last?
Anything from a few minutes to several hours or even days. Some attackers run short tests, while others launch prolonged campaigns with changing techniques. DDoS-for-hire services commonly sell attacks in fixed time blocks (e.g. 15 minutes, 1 hour, 24 hours).
3. Can antivirus software stop a DoS attack?
No. Traditional antivirus helps protect individual devices from malware but doesn’t:
- Increase your bandwidth
- Expand server capacity
- Filter network-level attack traffic
You need network, infrastructure and application-level controls to prevent and mitigate DoS attacks.
4. Are small businesses really targets?
We hope this article answered your question- “What are denial-of-service attacks?”. DoS attacks are becoming common and more sophisticated, especially with the increasing usage of IoT. Learning about such cyberattacks and taking the necessary precautions will keep your systems and networks safe. Do you need assistance in building a fool-proof cybersecurity strategy? Contact us or email us at cybersecurity@computingaustralia.group for ultrasafe security plans for your business.
Jargon Buster
ICMP – An Internet Control Message Protocol (ICMP) flood, also known as a Ping flood attack, is a DoS attack in which an attacker tries to bring down a targeted device with ICMP echo-requests or pings.
SYN flood – A SYN (short for synchronize) flood, also referred to as a half-open attack, is a DoS attack that floods a server with connection requests without responding to the corresponding replies.
ISP – An internet service provider (ISP) is a company that offers internet and internet related services to individuals and other companies.
FAQ
What is a Denial-of-Service (DoS) attack in simple terms?
A Denial-of-Service attack is when an attacker intentionally overloads your website, application or network so that it can’t respond to real users. Instead of breaking in to steal data, the attacker’s goal is to take you offline or make your services unbearably slow.
What’s the difference between DoS and DDoS?
A DDoS (Distributed Denial-of-Service) attack uses many devices at once – often thousands of compromised computers, routers and IoT devices – to flood your systems. DDoS attacks are harder to block because the traffic comes from many different locations.
Do DoS attacks steal my data?
Not usually. A DoS or DDoS attack is primarily about disruption, not data theft. However, attackers sometimes use DoS as a distraction while carrying out other attacks (like phishing, account compromise or ransomware) elsewhere in your environment. That’s why it’s important to treat every serious DoS incident as a security event, not just a performance issue.
Can a DoS or DDoS attack affect my SEO and search rankings?
Yes, indirectly. Search engines don’t “penalise” you just for being attacked, but if your website is frequently unavailable, slow or returning errors when search engine bots try to crawl it, this can hurt user experience signals and indexing. Over time, repeated outages may lead to:
Are cloud services still vulnerable to DoS and DDoS attacks?
Yes. Cloud services are more scalable, but they are not immune. While major cloud providers have strong DDoS protections and massive capacity, attacks can still:
