What is a Denial-of-Service (DoS) attack?

How does a DoS attack work?

Denial-of-service attacks originate from a single device or location. This architecture differentiates them from distributed denial-of-service attacks (DDoS) that involve many inter-connected devices.

Attackers exploit security weaknesses in target networks. These vulnerabilities include issues with processing packet requests, excessive responses to minor requests (amplification), or breaching connection limits.

In all cases, systems and applications eventually crash, rendering websites or remote connections inoperable.

Cyber attackers can use a conventional PC to mount denial-of-service attacks. Tools like Hping3 and LOIC allow attackers to make many requests. At the same time, spoofing techniques conceal the attacker's identity. Concealment gives attackers more time to evade cybersecurity measures.

The consequences of DoS attacks vary from inconvenient to catastrophic. Effects include:

• System or website slowdown as attacks consume resources
• Network-wide connectivity issues
• Crashes that take websites or network servers offline
• Secondary attacks after DoS attacks take down security systems
  
  

DoS-based attacks are also becoming more common. Attacks rose 150% in 2022 and represented 25% of all cyber attacks on government targets. Meanwhile, DoS incidents against financial targets grew 49% in 2024. Every organization is vulnerable.

Types of denial of service attacks

Denial-of-service attacks come in many varieties. Companies must harden their endpoint defenses to guard against each type.

Flood attacks

In this familiar type of DoS attack, criminals direct vast amounts of data packets and access requests to network servers. Servers must respond to each request individually. This rapidly increases resource consumption without DoS prevention tools.

Flood attacks use three main methods. Attackers can direct ICMP pings at their targets. They can flood targets with User Datagram Protocol (UDP) traffic. Or they can request many TCP handshakes via SYN floods.

All flood methods rely on one critical fact: attackers must have more bandwidth than their targets. If not, target servers will mobilize enough resources to neutralize attacks and safeguard network traffic.

Buffer overflow attacks

This DoS attack type focuses on overpowering the buffering capacity of targeted devices. Servers use buffers to handle requests, but buffering capacity is always limited. Breaching buffer capacity can lead to application crashes and overflows may overwrite system memory.

The Ping of Death is an example of a buffer overflow attack. Conceived in the 1990s, the Ping of Death sends malformed ICMP packets to target devices. If servers cannot process these packets, they can overwhelm the target's networking stack.

The Heartbleed bug (CVE-2014-0160) is another example. This vulnerability affects the SSL encryption protocol. Attackers can use specially engineered packets to override SSL's heartbleed extension. As a DoS attack, this can take down websites. It also acts as an opening for man-in-the-middle attacks.

Amplification attacks

In amplification attacks, threat actors escalate simple requests into security incidents. These attacks rely on amplifiable protocols like DNS or NTP. When used maliciously, these protocols generate greater responses than initial requests.

Amplification attacks also rely on IP address spoofing. Spoofed IPs enable attackers to direct DNS requests to their targets.

The Smurf Attack shows how this works. Smurf attacks use spoofing to direct ICMP traffic to targeted servers. Attackers attach a spoofed source address to ICMP packets. They send this spoofed address to the target's network broadcast address—prompting a response from all devices that receive it.

Resource exhaustion attacks

Resource exhaustion DoS attacks are a sub-type of flood attack. These attacks drain targeted devices by using all of their resources. They rely on security systems without robust permissions management.

Attackers leverage their ability to use every available resource. Managing permissions limits their freedom by putting most resources out of reach.

Cybercriminals have a range of tools to deplete resources. For example, fork bombs replicate automatically and eventually starve system resources. Organizations need active threat detection systems to block these agents before they spread.

Application layer attacks

Denial-of-service attacks are not just network layer threats. They can also operate at the application layer. These attacks cause applications to make server requests, causing widespread network outages.

HTTP floods are a type of DoS attack on the application layer. These attacks crash web servers via repeated HTTP requests. Functions like HTTP GET request images or files, while POST commands use forms to flood web servers with malicious traffic.

Slowloris is another example. This attack type opens many HTTP connections at the same time and tries to keep them open as long as possible. Slowloris attacks mimic inefficient but legitimate web server requests. This method is hard to detect and relatively simple to organize.

What is the difference between a DDoS attack and a DoS attack?

DoS stands for "denial-of-service" while DDoS stands for "distributed denial-of-service". One additional word makes a lot of difference to how these attacks work. Security teams need to be clear about these differences when crafting security strategies.

DoS attacks use a single device. DDoS attacks adopt a distributed model. Leveraging large communities of devices in coordinated swarms gives DDoS attacks several features not found in standard DoS attacks.

• DDoS attacks use large communities of devices in botnets. Devices include IoT equipment, smartphones, or standard laptops. DoS approaches rely on single devices.
• DDoS threats can send larger volumes of traffic to their targets, making it possible to harm large corporate networks.
• Distributed botnets are hard to destroy, especially when there is no single command and control center. DoS attackers could be traced to their devices and tend to leave more evidence behind.
• DDoS swarms can disable targets more quickly than denial-of-service attacks. Bot swarms attack from multiple directions, quickly destroying undefended targets.

How to prevent a DoS attack?

DoS attacks disable websites, disrupt network traffic, and expose your data to malicious actors. Companies need prevention strategies to detect, block, and mitigate attacks when they occur.

1. Implement redundancy to handle DoS floods

Redundancy provides a fail-safe to help you ride out DoS attacks without disruption. Spread network traffic across many servers or cloud environments. Backup workloads to swiftly restore websites or business networks.

2. Use Web Application Firewalls (WAFs)

Web Application Firewalls help protect against HTTP denial-of-service attacks at the application layer. Use them to apply rate limiting to suspicious users, block HTTP GET floods at source, and approve traffic via IP address allowlisting.

3. Reduce the attack surface

DoS attacks use exposed attack surfaces to cause maximum damage. However, you can disarm many attacks by limiting access to network resources. Block connections from outdated and unused ports. Implement secure gateways with firewall protection. And use network segmentation to put critical assets out of reach.

4. Implement Role-Based Access Control (RBAC)

Role-based access control is a strategy to distribute user access rights based on employee roles. This ensures that if an account is compromised during a DoS attack, only minimal information is exposed.

1. Assign roles with specific access permissions to minimize exposure to critical systems. If attackers breach an account, they won’t control the whole network. Restrict administrative roles to trusted users only.
2. Monitor denied access attempts for signs of possible attacks. A spike in failed login attempts could indicate phishing or DoS preparation. Regularly review permissions and adjust roles to close potential gaps.
3. Use logging to spot unusual patterns. Logs help IT teams find vulnerabilities before attackers exploit them. This proactive approach strengthens defenses against resource exhaustion and other DoS tactics.

5. Network segmentation

Network segmentation limits the impact of DoS attacks by isolating systems. If attackers overwhelm one part of the network, segmentation blocks them from reaching other areas.

Here's how it helps prevent attacks and improve security:

• Stops lateral movement. Attackers get trapped in isolated segments, reducing the risk of spreading.
• Limits access. Only authorized users can reach certain segments, protecting sensitive resources.
• Speeds up detection. Smaller segments make it easier to spot unusual activity.
• Boosts performance. Segmentation prevents one overloaded area from slowing down the entire network.
• Supports compliance. Many regulations require limiting data access to authorized users.
• Private VPN gateways help absorb attacks. Instead of making the network a target, attackers focus on the VPN server. A private gateway provided by a vendor like NordLayer takes the impact of DoS attacks, reducing damage to the company network.
  
  

With NordLayer, setting up private gateways takes minutes. Create separate Virtual Private Gateways, create different network segments and assign teams to control access. Use the Cloud Firewall feature to apply custom security rules for each network segment, strengthening protection.

6. Secure Remote access

Securing remote access is essential to prevent compromised devices from joining botnets. Using VPNs or Zero Trust solutions reduces the risk of devices being hijacked for DoS attacks.

Remote Access VPN and Zero Trust Network Access (ZTNA) ensure only verified users can connect to your network. Network Access Control (NAC) adds extra protection by blocking access from untrusted devices. These combined measures help stop bad actors from exploiting remote endpoints for attacks.

NordLayer’s Secure Remote Access boosts defenses with encrypted connections, identity verification, and threat prevention. Identity and Access Management (IAM) verifies users before granting access to sensitive resources. Multi-Factor Authentication (MFA) adds an extra security layer to protect accounts. DNS Filtering by category blocks malicious sites, preventing malware infections that turn devices into attack tools. These solutions help organizations secure remote access, control network entry, and reduce the risk of DoS attacks.

7. Use Deep Packet Inspection (DPI)

DPI is also critically important. Generally built into next-generation firewalls, DPI analyzes the contents of data packets. This works around spoofing techniques used to conceal DoS attacks. Security teams can detect malicious traffic that would otherwise pass through security filters.

8. Implement real-time network threat monitoring

Threat monitoring tools constantly scan for suspicious activity patterns like repeated access requests or activity spikes. AI-based monitoring adds greater precision, learning from previous DoS attacks to pinpoint potential incidents.

Networks face a never-ending threat of denial of service attacks. However, proactive monitoring and traffic management tools make networks hard to attack and easier to defend.

9. Use caches to prevent website attacks

Content Delivery Networks (CDNs) can prevent DoS attacks by caching frequently accessed web resources. This should reduce the load on your web servers.

Companies can reduce DoS risks with a step-by-step approach. First, build redundancy to handle traffic spikes. Next, use WAFs and firewalls to block malicious requests. Then, limit attack surfaces with segmentation and secure remote access. Finally, monitor threats in real time and use CDNs to keep services running.