securitynetwork-plusBeginner21 min read

What Is Denial-of-service? Security Definition

Also known as: Denial-of-service, DoS attack, DDoS, SYN flood, network security

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A Denial-of-service (DoS) attack happens when someone floods a website or server with so many fake requests that real users cannot access it. It is like hundreds of people pushing into a store entrance all at once, blocking actual customers from getting in. The goal is to shut down the service temporarily or cause a crash.

Must Know for Exams

Denial-of-service is a core topic in CompTIA A+, Network+, and Security+ certification exams. In the A+ (220-1102) exam, DoS attacks appear in the security section. Candidates must recognize the characteristics of a DoS attack, such as system slowdowns, network unavailability, and flooding of resources. The exam may ask you to identify whether a given scenario describes a DoS attack or another type of threat like malware or phishing.

In the Network+ (N10-008) exam, DoS attacks are covered under network security and network operations. Objectives include understanding different attack types like SYN floods, ping floods, and DDoS. You should be able to recommend mitigation techniques such as using firewalls, access control lists, and traffic shaping. The exam may present a scenario where a network becomes unresponsive and asks you to determine the most likely cause and the best response.

The Security+ (SY0-601) exam covers Denial-of-service in depth. It falls under threats, attacks, and vulnerabilities. You must know the difference between DoS and DDoS, how amplification attacks work, and how to protect against them using strategies like blackholing, sinkholing, and deploying reverse proxies. Exam questions often describe a situation where a web server is receiving massive traffic from multiple sources and ask which tool or technique would best mitigate the attack. The Security+ exam also tests your understanding of application-layer DoS attacks, such as HTTP flood attacks that target the web server itself rather than the network.

Across all three exams, questions are typically scenario-based. They do not ask you to remember a definition. They describe a situation and ask what is happening, why it is happening, or what to do about it. For example, a question might describe a company whose website is loading slowly and then becomes completely unavailable. Users report error messages. The network administrator sees a huge amount of inbound traffic from hundreds of different IP addresses. The question asks: What type of attack is occurring? The correct answer is a Distributed Denial-of-service (DDoS) attack.

Simple Meaning

Imagine you run a small coffee shop with one door. Normally, customers come in one or two at a time, you serve them, and everything works fine. Now imagine that someone sends a hundred people to stand at your door, not to buy coffee, but just to block the entrance. No real customer can get in. You cannot serve anyone, and you might even have to close early because the chaos is too much to handle. That is what a Denial-of-service attack does to a website or an online service.

The attacker uses a computer or a network of computers to send a huge amount of data or requests to a target server. The server has limited resources like processing power, memory, and internet bandwidth. When it receives more requests than it can handle, it slows down dramatically or stops responding entirely. Legitimate users, like customers trying to access a bank or a shopping site, see error messages or timeouts.

Think of it like a post office sorting room. The workers can sort a few hundred letters per hour. If someone dumps a truckload of junk mail at once, the workers cannot find the real letters. They become overwhelmed, and genuine mail is delayed or lost. The same happens to a web server during a DoS attack. The attack does not steal data, but it causes a service outage, which costs money, damages reputation, and can even be part of a larger cyberattack.

There are different types of Denial-of-service attacks. Some flood the network with so much traffic that the internet connection is used up. Others send incomplete or malformed data that causes the server to crash. The simplest form uses one computer to attack a single target. A more powerful version, called a Distributed Denial-of-service (DDoS) attack, uses many computers across the internet to attack at once. This makes it much harder to stop because the traffic comes from many sources at the same time.

Full Technical Definition

A Denial-of-service (DoS) attack is a cybersecurity attack that aims to disrupt the normal functioning of a server, service, or network by overwhelming it with a flood of traffic or by exploiting vulnerabilities to cause a crash. The core objective is to exhaust the target's resources, such as bandwidth, processing power, memory, or session capacity, so that it cannot respond to legitimate requests.

In technical terms, a DoS attack works by sending a massive number of packets or requests to a target over a network protocol like TCP, UDP, or ICMP. One classic method is the SYN flood attack. In a normal TCP handshake, a client sends a SYN packet, the server responds with a SYN-ACK, and the client sends an ACK to establish a connection. In a SYN flood, the attacker sends a high volume of SYN packets with spoofed or nonexistent source IP addresses. The server reserves resources for each half-open connection and waits for the final ACK that never arrives. Eventually, the server's connection table fills up, and it cannot accept new legitimate connections.

Another common type is the UDP flood attack. The attacker sends many User Datagram Protocol (UDP) packets to random ports on the target. The server checks each port for a listening service. If no service is found, it sends an ICMP Destination Unreachable message back. This consumes the server's processing power and bandwidth. Similarly, an ICMP flood, or ping flood, overwhelms the target with Echo Request packets. The target must process each packet and send a reply, quickly draining its resources.

Amplification attacks, such as DNS or NTP amplification, use public servers to magnify the traffic. The attacker sends a small query with a spoofed source IP address (the victim's IP) to a vulnerable server. The server responds with a much larger reply to the victim. For example, a 64-byte DNS query might generate a 4000-byte response. By sending many small queries, the attacker creates a massive flood of traffic directed at the victim.

In real IT environments, Denial-of-service attacks are often detected using network monitoring tools that track traffic anomalies, such as a sudden spike in packets per second or bandwidth usage. Mitigation strategies include rate limiting, traffic filtering, using firewalls and intrusion prevention systems (IPS), and deploying dedicated DDoS protection services like cloud-based scrubbing centers. These services redirect traffic through a cleaning center where malicious packets are filtered out before the remaining legitimate traffic reaches the target.

Real-Life Example

Think of a busy public library with a single front desk. On a normal day, people walk in, one at a time, and check out books. The librarian can handle about ten people per minute. Now imagine someone hires a hundred people to walk in all at once, stand at the desk, and ask the same useless question repeatedly: Do you have a book about nothing? The librarian has to respond to each person. The line grows longer and longer. Real patrons cannot even reach the desk. They wait for a few minutes, then leave frustrated. Eventually, the librarian cannot keep up, the system freezes, and the library has to close its doors for the day.

This is exactly how a Denial-of-service attack works. The librarian is the server. The useless questions are the fake traffic. The real patrons are legitimate users. The attacker does not take anything or damage any property. They simply make the library unusable by flooding it with demands. The library stays closed until someone can clear out the crowd and restore order.

Now imagine the same attack happening at a bank. Hundreds of fake customers block the entrance. Real customers cannot deposit money or pay bills. The bank loses business and trust. For a website, this means lost sales, missed deadlines, and angry customers. The attack can last minutes, hours, or even days. Companies often have to pay for expensive protection services or hire cybersecurity teams to stop the attack and bring the service back online.

Why This Term Matters

Denial-of-service attacks matter in real IT work because they directly impact availability, which is one of the three pillars of information security along with confidentiality and integrity. For system administrators, network engineers, and security professionals, a successful DoS attack means downtime, lost revenue, and damage to the organization's reputation. E-commerce websites lose sales for every minute they are offline. Financial institutions risk losing customer confidence. Healthcare services may be unable to access critical patient data.

In cloud infrastructure, DoS attacks are particularly dangerous because they can overload shared resources. A single attack on one customer's server can affect other tenants on the same hardware, causing cascading outages. Cloud providers invest heavily in DDoS protection to isolate and absorb attacks before they reach customer workloads.

For cybersecurity professionals, understanding DoS attacks is essential for incident response. When a site goes down, the first step is to determine whether the cause is a technical failure, a misconfiguration, or an attack. Pattern analysis of traffic logs reveals whether the traffic is coming from many different IP addresses (indicating a DDoS attack) or from a single source (indicating a standard DoS attack). Proper mitigation requires knowledge of firewalls, load balancers, and traffic filtering rules.

Network performance monitoring also depends on distinguishing normal traffic spikes from attack traffic. Many organizations use baseline metrics for their usual traffic load. A sudden tenfold increase in traffic from unusual geographic regions or to unusual ports often indicates an attack. Without this understanding, businesses may spend hours troubleshooting a slow network that is actually under attack.

How It Appears in Exam Questions

In certification exams, Denial-of-service appears primarily in scenario-based questions that test your ability to recognize, analyze, and respond to attacks. The most common question type presents a description of a network or system issue and asks you to identify the attack. For example, a company's email server becomes unresponsive during a marketing campaign. The network log shows an unusually high number of incomplete TCP connections. The question asks what kind of attack is occurring. The correct answer is a SYN flood attack.

Another common type is the mitigation question. The exam describes a DDoS attack that is flooding a web server with traffic from many IP addresses. It then asks which of the following measures would best protect the server. Options might include adding more bandwidth, installing an intrusion detection system, using a load balancer, or deploying a DDoS mitigation service. The correct answer is the mitigation service, because adding bandwidth alone does not stop the attack, it just raises the threshold.

Troubleshooting questions also appear. For instance, a technician notices that the network is very slow. Users cannot access the internet. The technician runs a packet capture and sees thousands of ICMP Echo Request packets from a single IP address. The question asks what step the technician should take first. The correct answer is to block that IP address at the firewall, which is the immediate response before investigating further.

Architecture questions are less common but still appear. A question may ask about designing a network to resist DoS attacks. It might ask which configuration would help, such as placing a firewall at the network perimeter, using rate limiting, or configuring a reverse proxy server. You need to understand where different defenses are applied in the network stack.

Finally, some questions test your understanding of the difference between DoS and DDoS. They may present two scenarios and ask which one is a DDoS attack. The key distinction is multiple sources versus a single source. For example, a scenario where traffic comes from a thousand different IP addresses is a DDoS attack, while traffic from a single computer is a DoS attack.

Practise Denial-of-service Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small online bookstore called ReadMore has been growing steadily. One afternoon, the website suddenly slows down. Customers complain that pages take forever to load, and some get error messages. The owner checks the server and sees that the CPU usage is at 100%. The network monitor shows a huge spike in incoming traffic, mostly from the same region. The traffic consists of thousands of identical requests for the same page every second. The owner realizes that someone is attacking the site.

This is a classic Denial-of-service attack. The attacker is using a single computer or script to send a flood of requests, overwhelming the server. The legitimate customers cannot browse or buy books. The owner contacts the hosting provider, which blocks the attacking IP address at the network level. The traffic stops, and the site comes back online. The owner then implements rate limiting to restrict the number of requests from any single IP address to prevent future attacks.

Common Mistakes

Thinking a Denial-of-service attack always involves multiple computers

A DoS attack can come from a single computer. When multiple computers are used, it is called a Distributed Denial-of-service (DDoS) attack. The two terms are related but not identical.

Remember: DoS means one source. DDoS means many sources. Both aim to deny service, but the attack vector differs.

Believing that adding more bandwidth is the best defense against DoS attacks

Adding bandwidth can help handle more traffic, but it does not stop the attack. An attacker can always send more traffic if they have enough resources. Bandwidth alone is not a security measure.

Use dedicated mitigation tools like firewalls, rate limiting, and DDoS protection services. Treat bandwidth as a buffer, not a defense.

Confusing a Denial-of-service attack with a virus or malware infection

A DoS attack does not infect the target with malware. It does not steal data or install software. It simply floods the target with traffic. Malware and DoS are different categories of threats.

When a system is slow or crashing, check for traffic anomalies first. If the problem is high inbound traffic, it is likely a DoS attack. If the problem is caused by malicious software on the system, it is malware.

Assuming that firewalls always stop all DoS attacks

Firewalls can block some DoS attacks, but sophisticated attacks, especially DDoS, can overwhelm the firewall itself. Attack traffic can fill the firewall's connection table and cause it to fail.

Use a layered defense: firewalls, intrusion prevention systems, and cloud-based DDoS scrubbing services. Understand that no single device can stop all DoS traffic.

Thinking that DoS attacks only target large companies

Small businesses and individual websites are also common targets. Attackers may choose smaller targets because they have weaker defenses. No organization is too small to be attacked.

Even small sites should implement basic protections like rate limiting and monitoring. Assume that any public-facing service is a potential target.

Exam Trap — Don't Get Fooled

An exam question describes a server that is slow and unresponsive. The log shows many incomplete TCP connections from different IP addresses. The question asks: Is this a DoS or DDoS attack?

Many learners choose DoS because they see 'incomplete TCP connections' and think of a SYN flood, which is often associated with DoS. Always read the question carefully for source information. If the traffic comes from many different IP addresses, it is a DDoS attack, regardless of the specific technique used.

Remember: the distribution of sources is what separates DoS from DDoS.

Commonly Confused With

Denial-of-servicevsDistributed Denial-of-service (DDoS)

A Denial-of-service (DoS) attack originates from a single source, while a Distributed Denial-of-service (DDoS) attack originates from many sources at the same time. DDoS is harder to block because the traffic comes from many different IP addresses.

If one person calls your phone repeatedly, that is a DoS attack. If a hundred different people call your phone at the same time, that is a DDoS attack.

Denial-of-servicevsBrute-force attack

A brute-force attack tries to guess passwords or encryption keys by trying many combinations. A DoS attack does not try to guess anything; it overwhelms the target with traffic. The goal of a brute-force attack is unauthorized access, while the goal of a DoS attack is to make the service unavailable.

A brute-force attack on a login page tries thousands of passwords. A DoS attack on the same login page sends thousands of login requests to crash the server.

Denial-of-servicevsMan-in-the-middle (MitM) attack

A Man-in-the-middle attack intercepts communication between two parties to eavesdrop or alter data. A DoS attack does not intercept traffic; it simply floods the target. MitM attacks aim to steal information, while DoS attacks aim to disrupt service.

A MitM attack on a bank website reads your password as you type it. A DoS attack on the same website prevents you from even loading the login page.

Denial-of-servicevsPing of death

The ping of death is a specific type of DoS attack that sends an oversized or malformed ICMP packet to crash the target. It is a technique, not a category. All ping of death attacks are DoS attacks, but not all DoS attacks are ping of death.

A ping of death attack sends a single packet that is too large. A standard DoS attack sends millions of normal-sized packets.

Step-by-Step Breakdown

1

Attacker selects a target

The attacker chooses a server, website, or network service to attack. The target could be anything from a small blog to a major e-commerce site. The attacker may have a personal grudge, a financial motive, or be part of a hacktivist group.

2

Attacker prepares the attack method

The attacker decides which type of DoS attack to use. They may use a SYN flood, UDP flood, HTTP flood, or amplification attack. They also decide whether to use a single computer (DoS) or a network of compromised computers (DDoS).

3

Traffic is generated and sent to the target

The attacker runs a script or tool that sends a high volume of packets or requests to the target. In a DDoS attack, the attacker controls many computers, often infected with malware, to send traffic simultaneously. The traffic is designed to consume the target's resources.

4

Target's resources become exhausted

The target server or network device processes the flood of incoming requests. Its bandwidth is consumed, CPU usage spikes, memory fills up, and connection tables become full. The device cannot handle legitimate requests because it is busy processing the attack traffic.

5

Legitimate users cannot access the service

Real users trying to access the website or service encounter timeouts, slow loading, or error messages. The service is effectively down. For e-commerce sites, this means lost sales. For critical services, it can disrupt operations.

6

Detection and response

Network administrators or automated monitoring systems detect the anomaly. They identify the unusual traffic pattern, determine the source if possible, and begin mitigation. This may involve blocking IP addresses, filtering traffic, or rerouting through a DDoS protection service.

7

Attack is mitigated and service is restored

The attack traffic is blocked or absorbed, and the target's resources return to normal. The service becomes available again. Administrators may later conduct a post-incident analysis to improve defenses and prevent future attacks.

Practical Mini-Lesson

In practice, protecting against Denial-of-service attacks requires a combination of planning, monitoring, and response strategies. IT professionals must understand that DoS attacks are not just a network problem but can also target applications. For example, an HTTP flood attack sends seemingly legitimate web requests that look like normal traffic. These attacks are harder to filter because blocking a request for a web page might also block real users. To handle this, administrators use rate limiting on web servers to restrict the number of requests from a single IP address within a given time.

Another practical approach is to use a content delivery network (CDN) that distributes traffic across many servers. A CDN can absorb a large portion of the attack traffic because it has many points of presence. If one server is attacked, others can still serve users. This is called load distribution. Similarly, cloud-based DDoS protection services filter traffic before it reaches the target. They analyze traffic patterns and drop packets that match known attack signatures.

Professionals also need to know how to configure firewalls for DoS protection. Firewalls can block specific protocols, limit the number of connections from a single source, and drop malformed packets. For SYN flood protection, firewalls can use SYN cookies, which avoid storing half-open connections in the server's connection table. Instead, the firewall encodes connection information in the SYN-ACK response, so the server does not have to remember it.

What can go wrong? One common issue is that legitimate traffic gets blocked along with attack traffic. This is called collateral damage. For example, if the attack comes from a country, an administrator might block all traffic from that country, but that also blocks real customers from that region. A more precise approach is to use rate limiting or CAPTCHA challenges instead of blanket blocks.

Connecting to broader IT concepts, DoS protection is part of a larger security strategy called defense in depth. This means having multiple layers of security so that if one layer fails, others still provide protection. Firewalls, intrusion detection systems, load balancers, and monitoring tools all work together. Understanding DoS attacks also connects to disaster recovery planning. An organization must have a plan for how to restore services after an attack, including backups and alternative network paths.

Memory Tip

Think of DoS as a Drowning by Overwhelming Signal: one source floods the server so no one else can speak.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Can a Denial-of-service attack damage hardware?

No, a DoS attack typically does not damage hardware. It overloads the service with traffic, causing it to become unresponsive. However, in rare cases, poorly designed hardware may overheat or fail under extreme load.

How long does a typical DoS attack last?

A DoS attack can last from a few minutes to several days. The duration depends on the attacker's resources and the target's defenses. Many attacks are short and designed to cause temporary disruption.

Is a DDoS attack the same as a DoS attack?

Not exactly. A DoS attack comes from one source, while a DDoS attack comes from many sources. DDoS attacks are generally more powerful and harder to block because the traffic originates from many different IP addresses.

What should I do if I think my website is under a DoS attack?

First, contact your hosting provider or IT team immediately. They can analyze the traffic and block the attack at the network level. Do not try to handle it alone. After the attack, review your security measures and consider adding DDoS protection services.

Can a firewall fully protect against DoS attacks?

A firewall can help, but it cannot stop all DoS attacks. Sophisticated attacks can overwhelm the firewall itself. For best protection, use a combination of firewalls, intrusion prevention systems, and cloud-based filtering services.

Do DoS attacks steal personal data?

No. A DoS attack does not steal data. Its only goal is to make the service unavailable. However, some attackers use DoS as a distraction while they perform other malicious activities, so always monitor for secondary attacks.

Are small businesses at risk for DoS attacks?

Yes. Small businesses are often targeted because they have weaker defenses. Even a short attack can cause significant financial loss and damage to reputation. Basic protections like rate limiting and monitoring are important for any online service.

Summary

A Denial-of-service (DoS) attack is a cybersecurity threat that aims to make an online service unavailable by overwhelming it with traffic or requests. It works by exhausting the target's resources, such as bandwidth, processing power, or memory, so that legitimate users cannot access the service. The simpler form, DoS, comes from a single source, while the more powerful Distributed Denial-of-service (DDoS) comes from many sources.

Understanding this concept is critical for IT certification exams like A+, Network+, and Security+, where you must recognize attack types, identify mitigation strategies, and respond to scenario-based questions. In real IT work, protecting against DoS attacks requires a layered defense including firewalls, rate limiting, and cloud-based protection services. Remember that DoS attacks do not steal data but cause downtime, lost revenue, and reputational harm.

Always consider source distribution when distinguishing DoS from DDoS. By mastering this term, you build a strong foundation for network security and incident response.