As cyber threats continue to evolve, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks remain among the most disruptive risks facing organisations today. These attacks aim to overwhelm systems, networks, or online services, preventing legitimate users from accessing critical resources.

What was once a relatively simple form of disruption has developed into a complex threat landscape. Modern DDoS attacks use sophisticated techniques, large-scale botnets, and multiple attack vectors to amplify impact, frequently targeting sectors where availability is essential, including finance, government, healthcare, and education.

Understanding how denial-of-service attacks work, the different forms they take, and why they are difficult to detect is essential for any organisation that depends on digital services. Effective defence starts with clarity, not just on the attacks themselves, but on the behaviours and weaknesses they exploit. That clarity increasingly comes from having unified visibility across detection, response, and risk context through a security operations platform.

‍

What Is a DoS Attack and How Is It Different from DDoS?

A Denial of Service (DoS) attack attempts to make a system, network, or application unavailable by overwhelming it with malicious traffic or requests from a single source or limited number of sources. The aim is to exhaust resources such as bandwidth, memory, or processing capacity so legitimate users cannot access the service.

DoS attacks exploit weaknesses in network protocols, system configurations, or application behaviour. Although limited in scale, they can still cause serious disruption, particularly in environments with insufficient monitoring or redundancy.

When the same techniques are executed simultaneously from many compromised systems, the attack becomes a Distributed Denial of Service (DDoS) attack. DDoS attacks rely on botnets and amplification techniques to increase scale, making them harder to block and respond to effectively.

Types of Denial-of-Service Attacks: Volumetric Attacks

Volumetric attacks aim to consume network bandwidth and processing capacity by overwhelming a target with high volumes of traffic. The objective is simple: saturate resources until legitimate access is no longer possible.

‍

UDP Flood Attack

A UDP flood attack exploits how the User Datagram Protocol (UDP) sends data without first setting up or maintaining a connection between systems. UDP is a core internet protocol used to send short messages, known as UDP packets, quickly and without confirmation that they were received.

In a UDP flood, an attacker sends a high volume of these packets to random or unused ports on a target system. Because UDP does not involve a handshake or ongoing session, the target attempts to process every packet as it arrives. When packets reach ports where no service is listening, the system responds with ICMP “destination unreachable” messages, increasing outbound traffic and adding to overall resource strain.

This attack is effective because UDP traffic is widely used for everyday services such as streaming, voice, and DNS, and is often permitted by default. As a result, malicious traffic can blend in with legitimate activity until bandwidth, CPU, or network capacity is exhausted.

UDP floods are easy to launch because they require minimal setup, do not depend on maintaining connections, and can be generated at scale using readily available tools. They are commonly used as part of broader or multi-vector denial-of-service attacks.

Example:
An attacker sends a constant stream of short messages to a server, each one addressed to a different service that does not exist. The server still has to check every message and reply that the service is unavailable. As these replies add up, the server spends more time responding to useless traffic than handling real work. Before long, legitimate services slow down or stop responding altogether.

Mitigation focuses on limiting how much UDP traffic a system will accept in a short period and filtering out traffic that serves no clear purpose. Monitoring helps identify sudden changes in UDP activity so malicious traffic can be reduced before it overwhelms the network.

ICMP Ping Flood Attack

An ICMP Ping Flood attack abuses the Internet Control Message Protocol (ICMP), which is used by networks to send control and diagnostic messages, most commonly to check whether a device is reachable. ICMP operates separately from protocols like UDP or TCP and is not used to carry application data.

In normal operation, a ping sends an ICMP Echo Request, which is a simple message asking a device to respond and confirm it is online. The device replies with an Echo Reply. In a Ping Flood attack, the attacker sends a very large number of Echo Requests to a target in a short time. The target attempts to reply to each request, consuming bandwidth and processing resources until service quality degrades.

This attack is effective because ICMP plays a foundational role in network operation and troubleshooting and is often allowed by default. ICMP traffic is typically low-level, meaning it consists of small, infrequent messages rather than sustained data flows. As a result, sudden increases in ICMP traffic can resemble legitimate diagnostic activity in early stages, making detection difficult until resource exhaustion is already underway.

ICMP Ping Floods may be distributed across multiple systems or combined with reflection techniques, where requests are sent in a way that causes third-party systems to send replies to the victim, masking the attacker’s origin and increasing traffic volume.

Example:
An attacker begins sending a steady stream of ping requests to a server. Each request is small and harmless on its own, but the server automatically replies to every one. As the replies add up, the server’s network link becomes increasingly busy responding to pings instead of serving real users. Over time, normal traffic is delayed or dropped, even though nothing appears broken.

Mitigation focuses on limiting how many ping requests a system will respond to and identifying unusual increases in ICMP traffic. Rather than blocking ICMP completely, controls are used to reduce its impact while preserving essential network troubleshooting and error reporting.

DNS Amplification Attack

A DNS amplification attack is a Distributed Denial of Service (DDoS) attack that uses public DNS servers to generate amplified traffic directed at a victim.

The attacker sends DNS requests to open DNS servers while spoofing the victim’s IP address. The servers reply with much larger responses, sending them to the victim instead of the attacker. This attack is effective because DNS responses are significantly larger than the requests that trigger them, allowing a small input to produce a large volume of traffic.

Detection is challenging because the traffic originates from legitimate DNS servers, making it difficult to separate attack traffic from normal responses until congestion occurs. The attack relies on reflection and amplification, allowing attackers to hide their identity while increasing impact.

Example:
An attacker sends a small number of DNS lookup requests to thousands of publicly accessible DNS servers, forging the sender address so the requests appear to come from the victim. Each DNS server replies with a much larger response and sends it to the victim instead. The attacker sends very little traffic themselves, but the victim is suddenly hit with a flood of responses they never requested, saturating their network connection.

Mitigation focuses on identifying abnormal patterns of DNS responses, such as large volumes of replies sent to systems that did not request them. Reducing reliance on open DNS resolvers and ensuring DNS infrastructure is properly configured helps limit how much traffic can be amplified and reflected toward a target.

Types of Denial-of-Service Attacks: Protocol Attacks

Protocol attacks exploit how core internet protocols are designed to operate. Rather than targeting specific applications, they abuse standard behaviours in protocols such as UDP, TCP, ICMP, and DNS to exhaust system or network resources. Because these protocols are essential to normal communication and are often permitted by default, protocol attacks can be difficult to block without disrupting legitimate traffic.

TCP SYN Flood Attack

A TCP SYN flood attack is a Denial of Service (DoS) attack that exploits how TCP connections are started. TCP is one of the core communication protocols of the internet, the common language used by most web traffic, email, file transfers, and applications to reliably exchange data. A SYN message is the first step in a TCP exchange, signalling a request to begin a connection.

Under normal conditions, a TCP connection is established through a three-step process: the client sends a SYN message, the server responds to acknowledge it, and the client completes the exchange. In a SYN flood attack, the attacker sends large numbers of SYN messages to a target server using spoofed IP addresses but never completes the final step.

The server allocates resources for each request and waits for responses that never arrive. As these incomplete connections accumulate, the server’s capacity to accept legitimate traffic is exhausted, leading to service degradation or outages.

This attack is effective because it exploits normal protocol behaviour rather than software vulnerabilities, meaning even well-configured systems can be affected. Detection can be difficult, as SYN messages are a standard part of TCP traffic and early attack stages may resemble legitimate connection spikes.

Example:
A web server can only keep a limited number of connection attempts open at onetime. An attacker repeatedly asks the server to start new connections but never completes them. Each request looks normal, so the server reserves space and waits. Over time, all available connection slots are filled with unfinished requests. When real users try to connect, the server has nowhere to place them, so their connections fail or time out.

Mitigation focuses on limiting how many unfinished connection requests a server will hold open and how long it will wait before discarding them. Additional protections monitor for abnormal patterns where many connections are started but never completed, allowing malicious requests to be dropped before they block real users.

Ping of Death Attack

A Ping of Death is a Denial of Service (DoS) attack that exploits how some systems handle oversized ICMP packets. ICMP (Internet Control Message Protocol) is a network protocol used to send control and diagnostic messages, commonly through the ping command.

In normal operation, ping sends a small ICMP Echo Request to test whether a device is reachable, and the target responds with an Echo Reply. In a Ping of Death attack, the attacker sends an ICMP packet that exceeds the maximum allowed size. On vulnerable systems, this causes errors when the packet is processed.

This attack is different from an ICMP Ping Flood. A Ping Flood overwhelms a system with a high volume of legitimate-sized requests, while the Ping of Death relies on malformed, oversized packets rather than traffic volume.

The Ping of Death was effective because early operating systems did not properly validate packet size. Processing an oversized packet could cause buffer overflows, system crashes, or service interruption.

Today, the Ping of Death is largely not a common or effective attack. Modern operating systems and network devices enforce strict packet size limits and discard malformed ICMP packets before they can cause harm.

Example:
An attacker sends a single ping message that is far larger than a system expects to handle. An outdated device attempts to process the message instead of rejecting it. As it does, the system runs out of memory and crashes, causing the device to drop off the network until it is restarted.

Mitigation relies on keeping systems and network devices updated so they automatically reject oversized or malformed packets. Modern operating systems and firewalls do this by default, which is why this attack is now largely ineffective.

Smurf Attack

A Smurf attack is an ICMP-based denial-of-service attack that uses reflection, causing third-party systems to send large volumes of ping replies to a victim. The attack relies on IP spoofing and broadcast traffic to amplify its impact.

In a Smurf attack, the attacker spoofs the victim’s IP address and sends an ICMP Echo Request to a network’s broadcast address, which delivers the request to all devices on that network. Each device responds with an ICMP Echo Reply, directing its response to the victim rather than the attacker.

Although the attack uses ICMP, it differs from a direct ICMP Ping Flood. In a direct flood, the attacker sends traffic straight to the victim. In a Smurf attack, the attacker sends very little traffic themselves and instead causes many other systems to generate traffic on their behalf.

This attack is effective because a single spoofed request can trigger thousands of replies, quickly consuming the victim’s bandwidth and processing capacity. Because the replies come from legitimate devices, the traffic can initially appear normal, making detection more difficult.

Smurf attacks were common in the early days of the internet, when broadcast traffic was widely permitted. Today, they are far less common due to modern network configurations that disable broadcast responses by default.

Example:
An attacker sends a single ping request to a large internal network but forges the sender address so it appears to come from the victim. Every device on that network replies to the victim at the same time. The attacker sends only a small amount of traffic, but the victim is suddenly flooded with replies it never asked for.

Mitigation focuses on preventing networks from responding to broadcast requests and limiting how ICMP traffic is handled. Modern network configurations block this behaviour by default, which is why Smurf attacks are now rare. Keeping network settings up to date ensures systems cannot be used to amplify attacks against others.

Types of Denial-of-Service Attacks: Application-Layer Attacks

Application-layer attacks target how applications process requests rather than how networks handle traffic. Instead of overwhelming bandwidth, these attacks exploit application logic, request handling, or input processing to exhaust server resources. Because the traffic often looks legitimate and uses standard protocols like HTTP, application-layer attacks are among the hardest denial-of-service attacks to detect and mitigate without impacting real users.

HTTP Flood Attack

An HTTP flood attack is an application-layer Denial of Service (DoS) attack that targets websites and online services by overwhelming web servers with large numbers of HTTP requests that appear legitimate.

There are two common forms of HTTP flood attacks: HTTP GET floods and HTTP POST floods. In a GET flood, the attacker repeatedly requests web pages or resources such as images and scripts. In a POST flood, the attacker submits large numbers of form requests containing data, mimicking normal user interactions. In both cases, the server must fully process each request.

This attack is effective because HTTP traffic is expected and constant. Web servers are designed to accept and process HTTP requests continuously, and blocking them outright would also block real users. As a result, even a moderate increase in request volume can overwhelm application logic, backend systems, or databases.

Detection is difficult because the requests closely resemble normal behaviour. Attackers often randomise request parameters, such as URLs, query strings, form fields, or headers, so that each request looks slightly different. This prevents traditional security controls from relying on static patterns or signatures to identify malicious traffic.

HTTPS does not prevent HTTP flood attacks. While HTTPS encrypts traffic in transit, the server must still decrypt and process each request. This means encrypted requests can consume just as many, if not more, server resources, making HTTPS-protected sites equally vulnerable to application-layer floods.

A defining feature of HTTP floods is their focus on application processing rather than raw traffic volume. The attack succeeds by exhausting server resources through legitimate-looking requests rather than over whelming network bandwidth.

Example:
An attacker sends a steady stream of requests to a website, each one asking for a different page, image, or form submission. Individually, the requests look normal. Collectively, they force the website to repeatedly load pages, query databases, and generate responses.

As the server spends more time handling these requests, real users begin to experience slow page loads, timeouts, or failed transactions. There is no sudden spike in traffic, just sustained pressure that gradually exhausts the application’s ability to respond.

Mitigation focuses on spotting patterns that real users do not produce, such as unusually high request rates from the same sources or repeated requests that trigger heavy processing. Controls are then used to slow, challenge, or block this activity without disrupting normal users.

Slowloris Attack

A Slowloris attack is a low-rate application-layer Denial of Service (DoS) attack named after the slow-moving animal, reflecting how the attack works gradually rather than through sudden traffic spikes.

Slowloris targets a web server’s connection management logic, meaning the rules and limits the server uses to decide how many connections it can keep open, how long it will wait for requests to complete, and when to release resources.

In normal communication, an HTTP request is sent quickly and includes a termination sequence that tells the server the request is complete. The server processes the request and closes the connection, freeing capacity for others. In a Slowloris attack, the attacker sends HTTP requests very slowly and deliberately never completes them by omitting the termination sequence. The server treats these connections as valid but unfinished and continues to hold them open.

This exhausts the server’s ability to manage connections, not by overwhelming it with traffic, but by consuming its limited pool of open connection slots. Once those slots are filled, the server cannot accept new connections from legitimate users, even though overall traffic levels remain low.

Slowloris is difficult to detect because it generates minimal traffic and mimics normal behaviour. Traditional DoS protections that rely on traffic volume or request rate often fail to identify the attack until legitimate users are already blocked.

A defining feature of Slowloris is that it exploits how servers allocate and release connections, rather than how much data they can process.

Example:
An attacker opens hundreds of connections to a website and begins sending requests one character at a time, pausing between each update. Each connection looks normal but never finishes. The server patiently waits, keeping every connection open. After enough connections are tied up, new visitors cannot load the site, even though traffic levels remain low.

Mitigation focuses on limiting how long a server will wait for requests to finish, closing connections that progress too slowly, and monitoring for patterns where many connections remain open without completing. This prevents a small number of slow requests from blocking access for everyone else.

Regular Expression Denial of Service (ReDoS) Attack

A Regular Expression Denial of Service (ReDoS) attack is an application-layer DoS attack that exploits how applications process regular expressions, which are patterns used in software to search, validate, or filter user input such as form fields, URLs, or API requests.

Regular expressions are evaluated by a regex engine, a component of the application that attempts to match incoming input against a defined pattern. Some regex patterns are efficient and complete quickly, while others are poorly constructed and allow multiple ways to match the same input. When this happens, the engine repeatedly tries different matching paths before giving up.

In a ReDoS attack, an attacker submits specially crafted input designed to trigger this behaviour. The regex engine spends excessive time backtracking and re-evaluating possibilities, causing processing time to grow rapidly as input length increases. This processing happens inside the application itself, consuming CPU and blocking other requests, even though the input looks valid and traffic volume remains low.

This attack is effective because it targets application logic rather than network capacity. A single request can monopolise server resources, making the application slow or unresponsive. The issue is unrelated to SQL injection, which targets databases. ReDoS exploits pattern-matching logic, not query execution.

Detection is difficult because there is no traffic spike or malformed input. The application simply appears slow or unstable, making the issue easy to misdiagnose as a performance problem.

A defining feature of ReDoS is its reliance on algorithmic complexity, meaning the time required to process input increases disproportionately compared to the size of the input, eventually exhausting application resources.

Example:
A login page uses a complex regular expression to validate passwords before authentication. An attacker submits a single, unusually long password string designed to trigger excessive backtracking in the validation logic. The application thread handling the request becomes stuck processing the input, consuming CPU for several seconds.

While this is happening, other login attempts begin to queue behind it. Additional requests are delayed, not because of traffic volume, but because the application is busy processing one request. To monitoring systems, the issue looks like a sudden performance slowdown or application bug, not an attack. Within minutes, the service becomes effectively unavailable, despite receiving very little traffic.

Mitigation focuses on controlling how user input is processed, limiting input size, stopping requests that take too long to run, and testing applications to ensure they cannot be slowed down by a single request.

Why DoS and DDoS Attacks Matter

Denial of Service (DoS) attacks aim to disrupt availability by exhausting system resources. Distributed Denial of Service (DDoS) attacks apply the same techniques at scale, using many sources at once to amplify impact. While individual DoS attacks can still cause disruption, DDoS attacks represent the most significant availability threat facing organisations today.

Both DoS and DDoS attacks can result in direct financial loss through downtime, missed transactions, and contractual penalties. Repeated or prolonged outages also damage customer trust and brand reputation, particularly in sectors where availability is critical.

Beyond service disruption, these attacks can interfere with core business operations, from online payments to essential public services. In some cases, denial-of-service activity is used as a diversion, drawing attention away from other attack paths such as data compromise or unauthorised access.

Building Stronger Defences

Defending against DoS and DDoS attacks requires more than isolated controls. Effective resilience depends on the coordination of technology, people, and process. Infrastructure must be able to absorb and adapt to traffic surges, while response procedures remain current and tested against evolving attack techniques.

A mature Security Operations Centre (SOC) plays a central role by providing continuous monitoring, rapid detection, and coordinated response. By partnering with Smarttech247, organisations gain access to 24/7 managed detection and response, real-time threat intelligence, and experienced incident response teams focused on reducing impact and restoring availability.

Conclusion

DoS and DDoS attacks continue to evolve in scale, sophistication, and intent, affecting organisations across all industries. While the methods vary, the risk to availability, operations, and trust remains constant.

Sustained protection relies on proactive monitoring, fast response, and continuous improvement. With resilient infrastructure and the right security partner in place, organisations can maintain operational continuity and confidence, even in the face of persistent denial-of-service threats.

‍