What Is DoS? Security Definition
Also known as: Denial of Service, DoS attack, DoS
On This Page
Quick Definition
A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of illegitimate traffic or resource requests. The goal is to exhaust the target's bandwidth, processing power, memory, or other critical resources, rendering it unable to respond to legitimate user requests. This can cause significant downtime, financial loss, and reputational damage to organizations. DoS attacks can be executed in various ways, including volumetric attacks that consume bandwidth, protocol attacks that exploit weaknesses in network protocols, and application-layer attacks that target specific application functions. Unlike Distributed Denial-of-Service (DDoS) attacks, which originate from multiple sources, a traditional DoS attack typically comes from a single source. Understanding DoS is fundamental for network security professionals, as it represents one of the oldest and most persistent threats to network availability.
Must Know for Exams
On the Network+ exam (N10-009), DoS attacks are covered under Domain 4.0 (Network Security). Specifically, exam objectives require candidates to: (1) Differentiate between DoS and DDoS attacks, understanding that DDoS uses multiple sources while DoS uses a single source.
(2) Identify common DoS attack types such as SYN flood, Ping flood, and Smurf attack, and know which OSI layer each targets. (3) Recognize mitigation techniques like ACLs, rate limiting, and firewalls. (4) Understand the role of DoS in the context of network availability and the CIA triad.
(5) Be able to interpret network traffic captures (e.g., Wireshark) to identify DoS patterns like a flood of SYN packets with no ACK replies. On Security+ (SY0-701), DoS appears under Domain 2.
0 (Attacks, Threats, and Vulnerabilities), with emphasis on attack types, indicators (e.g., resource exhaustion), and countermeasures like load balancers and DoS protection services.
CCNA (200-301) tests DoS under Network Security, focusing on control plane policing (CoPP), ACLs to block attack traffic, and understanding how TCP SYN floods affect router performance. Candidates must also know that DoS can target the control plane, data plane, or management plane.
Simple Meaning
Imagine a small coffee shop that can only serve 10 customers at a time. A DoS attack is like a group of people who don't want any customers to get coffee. They all rush into the shop at once, filling every seat and ordering nothing but standing around.
The barista is overwhelmed, the coffee machine runs non-stop, and the line of real customers outside can't get in. The shop is so busy dealing with the fake crowd that it can't serve anyone who actually wants to buy coffee. Eventually, the shop might run out of coffee cups, or the barista gets so stressed they have to close early.
That's exactly what a DoS attack does to a website or server: it floods it with fake traffic until it can't handle real visitors anymore.
Full Technical Definition
A Denial-of-Service (DoS) attack is a cyber assault that aims to make a computer or network resource unavailable by overwhelming it with superfluous requests, thereby preventing legitimate access. DoS attacks primarily target the availability component of the CIA triad (Confidentiality, Integrity, Availability). They operate at various OSI layers depending on the specific attack type: Layer 3 (Network) for ICMP floods, Layer 4 (Transport) for SYN floods, and Layer 7 (Application) for HTTP floods. Relevant RFCs include RFC 4732 (Internet Denial-of-Service Considerations) and RFC 4987 (TCP SYN Flooding Attacks and Common Mitigations).
Mechanically, a SYN flood attack exploits the TCP three-way handshake. The attacker sends a flood of TCP SYN packets with spoofed source IP addresses to the target. The target responds with SYN-ACK packets to each spoofed address and waits for the final ACK, which never arrives. The target's connection table fills with half-open connections, exhausting memory and preventing new legitimate connections. In contrast, a volumetric DoS attack simply saturates the target's bandwidth with high-volume traffic, such as ICMP echo requests (Ping flood) or UDP packets. Application-layer attacks target specific functions, like repeatedly requesting a resource-intensive database query. Compared to DDoS, a single-source DoS is easier to mitigate because blocking a single IP address can stop the attack, but it is also less common in modern networks where attackers often use botnets.
Real-Life Example
A mid-sized e-commerce company, ShopFast, hosts its website on a single server with a 1 Gbps internet connection. During a holiday sale, an attacker launches a DoS attack using a tool that sends a massive ICMP echo request flood (Ping flood) from a single compromised server. The attacker spoofs the source IP to make the traffic appear to come from random addresses.
Within minutes, the server's 1 Gbps link is saturated with 1.5 Gbps of ICMP traffic. Legitimate customers trying to access ShopFast.com experience timeouts and cannot load the site.
The company's network monitoring tools alert the IT team, who identify the attack by observing a sudden spike in ICMP traffic from a single source IP (after de-spoofing). They implement an ACL on the perimeter firewall to block all ICMP traffic from that source, restoring service within 15 minutes. The attack caused 30 minutes of downtime, resulting in an estimated $50,000 in lost sales and damage to customer trust.
Why This Term Matters
Understanding DoS attacks is critical for IT professionals because availability is a core pillar of network security. A successful DoS attack can bring down critical business services, causing revenue loss, productivity drops, and reputational harm. Network administrators must be able to recognize attack signatures (e.
g., sudden traffic spikes, high CPU usage) and implement mitigation techniques like rate limiting, ACLs, and traffic filtering. For troubleshooting, knowing the difference between a DoS attack and a legitimate traffic surge (e.
g., a flash crowd) is essential. On a career level, DoS knowledge is tested on Network+, Security+, and CCNA exams, and real-world mitigation skills are highly valued in roles like network engineer, security analyst, and SOC operator.
How It Appears in Exam Questions
Question Pattern 1: 'Which type of attack floods a target with half-open TCP connections?' The correct answer is SYN flood. Wrong answers often include Ping of Death (which uses oversized packets) or Smurf attack (which uses ICMP broadcast).
Pattern 2: 'An administrator notices a sudden spike in ICMP traffic from a single IP address. What is the most likely attack?' Answer: DoS (Ping flood). Wrong answers: DDoS (multiple sources) or ARP poisoning (MAC spoofing).
Pattern 3: 'Which mitigation technique can prevent a SYN flood attack on a router?' Correct: Control Plane Policing (CoPP). Wrong answers: Port security (MAC filtering) or DHCP snooping (IP address validation).
Pattern 4: 'A server becomes unresponsive after receiving thousands of HTTP GET requests for a single resource. What type of attack is this?' Answer: Application-layer DoS (HTTP flood).
Wrong answers: SQL injection (database attack) or XSS (script injection). The key is to match the attack's behavior to its name and layer.
Practise DoS Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: A small web server hosting a school's online portal is targeted by a DoS attack.
Step 1: The attacker uses a tool like hping3 to send a flood of TCP SYN packets to the server's IP address on port 80 (HTTP). Step 2: The server receives each SYN packet and responds with a SYN-ACK, allocating memory in its connection table for each half-open connection. Step 3: The attacker never sends the final ACK, so each connection remains half-open. The server's connection table fills up quickly. Step 4: After 500 half-open connections, the server's connection table is full. It cannot accept any new connections, including legitimate ones from students trying to log in. Step 5: Students see 'Connection timed out' errors. The school's IT admin checks the server and sees hundreds of SYN_RECV states in the netstat output, confirming a SYN flood attack. Step 6: The admin applies an ACL to block traffic from the attacker's IP and reduces the SYN timeout interval to free up resources, restoring service.
Common Mistakes
Students think DoS and DDoS are the same thing.
DoS comes from a single source, making it easier to block by blacklisting one IP. DDoS uses multiple sources (botnet), requiring distributed mitigation like CDNs or scrubbing centers. The exam explicitly tests this distinction.
Remember: 'DoS = One Source, DDoS = Many Sources.'
Students believe a SYN flood attack sends a flood of ACK packets.
A SYN flood sends SYN packets (the first step of the TCP handshake), not ACK packets. The attacker never completes the handshake, leaving half-open connections. ACK floods are a different attack type.
SYN flood = SYN packets only. The 'S' in SYN stands for 'Start' — the attacker starts but never finishes.
Students think a Ping flood attack uses oversized packets (like Ping of Death).
A Ping flood sends normal-sized ICMP echo requests in high volume to saturate bandwidth. Ping of Death sends malformed oversized packets to crash the target. They are different attacks with different mechanisms.
Ping flood = volume of normal pings. Ping of Death = one oversized packet. Volume vs. malformation.
Exam Trap — Don't Get Fooled
{"trap":"On the exam, a question describes a server overwhelmed by half-open TCP connections. Many candidates choose 'Ping of Death' because they associate 'overwhelmed' with 'flood,' but the correct answer is 'SYN flood.' Ping of Death crashes via oversized packets, not half-open connections."
,"why_learners_choose_it":"Candidates often confuse 'flood' with 'overwhelm' and assume any overwhelming attack is a flood. They also misremember Ping of Death as a flood attack, when it is actually a single malformed packet exploit. The word 'flood' in the question stem misleads them."
,"how_to_avoid_it":"When you see 'half-open connections' or 'SYN_RECV state,' immediately think SYN flood. If the question mentions 'oversized packet' or 'ping -l 65500,' think Ping of Death. Use the symptom, not the general feeling of overwhelm, to identify the attack."
Commonly Confused With
DoS originates from a single source, while DDoS originates from multiple sources (often a botnet). This affects mitigation: blocking one IP stops a DoS, but DDoS requires distributed defenses like CDNs or traffic scrubbing. The exam tests this distinction directly.
A single laptop flooding a server with SYN packets is a DoS; a botnet of 10,000 infected devices doing the same is a DDoS.
Ping of Death sends a single malformed ICMP packet larger than 65535 bytes to crash the target. DoS (Ping flood) sends many normal-sized ICMP packets to saturate bandwidth. One exploits packet size, the other exploits volume.
Sending 'ping -l 65500 192.168.1.1' is Ping of Death; sending 10,000 normal pings per second is a Ping flood DoS.
Step-by-Step Breakdown
Step 1 — Reconnaissance and Target Selection
The attacker identifies a target, such as a web server, router, or DNS server. They may scan for open ports (e.g., port 80 for HTTP) to determine which services to flood. This step is often automated using tools like Nmap.
Step 2 — Attack Vector Selection
The attacker chooses the type of DoS attack based on the target's vulnerabilities. For example, if the target runs a web server, they might choose an HTTP flood (Layer 7) or a SYN flood (Layer 4). The choice affects the attack's effectiveness and detectability.
Step 3 — Traffic Generation and Launch
Using tools like hping3, LOIC, or custom scripts, the attacker generates a high volume of malicious traffic directed at the target. In a SYN flood, they send thousands of SYN packets with spoofed source IPs per second. The traffic is crafted to appear legitimate to bypass basic filters.
Step 4 — Resource Exhaustion
The target's resources (bandwidth, CPU, memory, connection table) become overwhelmed. For a SYN flood, the server's connection table fills with half-open connections, preventing new legitimate connections. For a volumetric attack, the network link saturates, dropping all traffic.
Step 5 — Denial of Service and Impact
Legitimate users cannot access the service. They may see timeouts, connection refused errors, or extremely slow responses. The attack continues until the attacker stops, the target crashes, or mitigation measures (e.g., ACLs, rate limiting) are applied. The impact includes downtime, revenue loss, and reputational damage.
Practical Mini-Lesson
Core Concept: A DoS attack is a deliberate attempt to make a resource unavailable by exhausting its capacity. The key principle is resource exhaustion—whether bandwidth, CPU, memory, or disk I/O.
How It Works: Most DoS attacks exploit the normal behavior of protocols. For example, the TCP three-way handshake is designed to establish reliable connections. A SYN flood abuses this by initiating handshakes without completing them, forcing the server to hold resources for connections that never materialize. Similarly, an ICMP flood sends more echo requests than the target's network interface can handle, saturating the link.
Comparison to Similar Technologies: DoS is often confused with DDoS. The critical difference is the number of sources: DoS = single source, DDoS = multiple sources (botnet). Mitigation strategies differ: blocking a single IP can stop a DoS, but DDoS requires more sophisticated methods like traffic scrubbing or CDN distribution. Another related concept is a 'flash crowd'—a legitimate surge in traffic that mimics a DoS. The difference is intent: a flash crowd is organic (e.g., product launch), while a DoS is malicious.
Configuration/Usage Notes: To mitigate DoS on a Cisco router, use Control Plane Policing (CoPP) to limit the rate of traffic destined to the router's CPU. For example, 'access-list 100 permit tcp any host 192.168.1.1 eq 80' followed by 'class-map match-any DoS-Traffic' and 'policy-map CoPP' to police the rate. On a firewall, enable SYN cookies to handle SYN floods without exhausting memory. On a server, reduce the SYN-RECEIVED timeout (tcp_synack_retries in Linux) to free half-open connections faster.
Key Takeaway: DoS attacks target availability. The most exam-critical fact is that a SYN flood uses half-open TCP connections to exhaust server resources, and it is mitigated by SYN cookies or reducing timeout values. Always distinguish DoS (single source) from DDoS (multiple sources) on exams.
Memory Tip
Remember 'DoS' as 'Denial of Service' and think of a 'Door Slam' — one attacker slams the door shut so no one else can enter. For SYN flood specifically, remember 'SYN = Start Your Negotiation' but the attacker never finishes, leaving the server waiting forever.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →SY0-701CompTIA Security+ →200-301Cisco CCNA →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
Frequently Asked Questions
Can a DoS attack be launched from a single computer?
Yes, a traditional DoS attack originates from a single source, such as one compromised computer or a single attacker's machine. However, modern networks often have enough bandwidth to absorb single-source attacks, making DDoS (multiple sources) more common for effective disruption.
What is the difference between a DoS and a DDoS attack?
DoS comes from one source; DDoS comes from many (a botnet). This affects mitigation: blocking one IP stops a DoS, but DDoS requires distributed defenses like CDNs, load balancers, or traffic scrubbing services. The exam tests this distinction frequently.
Is a SYN flood the same as a Ping flood?
No. A SYN flood targets Layer 4 (TCP) by sending SYN packets to exhaust connection tables. A Ping flood targets Layer 3 (ICMP) by sending echo requests to saturate bandwidth. They use different protocols and have different mitigation strategies (SYN cookies vs. ICMP rate limiting).
How can I detect a DoS attack on my network?
Look for sudden spikes in traffic from a single IP, high CPU or memory usage on servers, many half-open connections (SYN_RECV state in netstat), or a surge in ICMP or UDP packets. Network monitoring tools like Wireshark or PRTG can help identify abnormal patterns.
Why would an attacker use a DoS attack instead of a DDoS?
A DoS attack is simpler to execute and requires fewer resources (one machine). It may be used for small-scale targets with limited bandwidth, or as a test before launching a larger DDoS. However, it is easier to mitigate, so DDoS is more common for serious disruption.
Summary
1. A DoS (Denial-of-Service) attack is a single-source attack that overwhelms a target with traffic or requests to make it unavailable to legitimate users. 2. Its key technical property is resource exhaustion—it targets bandwidth, memory, or CPU by exploiting protocol behaviors like the TCP three-way handshake (SYN flood) or ICMP echo requests (Ping flood).
3. The most important exam fact: DoS comes from one source, while DDoS comes from many; SYN floods are mitigated by SYN cookies or reducing timeout values; and always identify the attack type by its traffic pattern (e.g.
, half-open connections = SYN flood, ICMP spike = Ping flood).