A denial-of-service (DoS) attack works by flooding a server or network with so much traffic, or sending it specially crafted data, that it can no longer respond to real users. The goal isn’t to break in or steal information. It’s to make a website, app, or online service completely unavailable. Modern attacks have reached staggering scales, with the largest recorded attack in late 2024 peaking at 31.4 terabits per second of junk traffic, lasting just 35 seconds.
Two Core Methods: Flooding and Crashing
Every DoS attack falls into one of two categories. Flooding attacks bury a target under more traffic than it can handle. The server tries to process each incoming request, gets overwhelmed, slows to a crawl, and eventually stops responding entirely. Crashing attacks take a different approach: instead of brute-force volume, they send carefully crafted input that exploits a bug in the target’s software, causing the system to crash or become unstable without needing massive bandwidth.
Flooding is far more common. The attacker’s goal is to exhaust one or more of the target’s finite resources: its internet bandwidth, its processing power, its memory, or even the number of network connections it can hold open at once. Once any one of those resources hits its limit, legitimate visitors get locked out.
How a SYN Flood Exploits Normal Connections
One of the most well-known flooding techniques targets the basic process every device uses to start an internet connection. When your browser connects to a website, it performs a quick three-step exchange called a handshake. Your device sends a “SYN” message (short for synchronize) to the server. The server replies with a “SYN-ACK,” acknowledging the request. Your device then sends back a final “ACK,” and the connection is established.
The critical detail is that the server reserves memory and a connection slot after step one, before the handshake finishes. In a SYN flood, the attacker sends thousands or millions of SYN messages but never completes step three. Each half-finished connection sits in the server’s memory, occupying a slot. Eventually every available connection slot is taken up by these phantom requests, and real users trying to connect get turned away. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes this as leaving every port in an “occupied status,” saturating the server until it simply can’t accept new connections.
Application-Layer Attacks: Harder to Spot
Not all attacks target the network plumbing. Application-layer attacks, sometimes called Layer 7 attacks, go after the website or app itself by mimicking normal user behavior. Because the requests look legitimate on the surface, these attacks are much harder to filter out.
An HTTP GET flood, for example, coordinates many devices to simultaneously request images, files, or web pages from a server. Each request is technically valid, but the sheer volume overwhelms the server’s ability to respond. HTTP POST floods are even more efficient from the attacker’s perspective. When you submit a form on a website, the server has to process that data and often write it to a database, which is relatively resource-intensive. The attacker exploits this imbalance: sending a POST request costs very little bandwidth, but handling it on the server side takes comparatively heavy processing. Thousands of fake form submissions can exhaust a server’s capacity while using minimal resources on the attacker’s end.
Then there are “low and slow” attacks like Slowloris, which don’t need volume at all. Instead of flooding a server with complete requests, Slowloris opens many connections and sends only partial request headers, dripping in just enough data to keep each connection from timing out. The server patiently waits for each request to finish, holding connections open indefinitely. Eventually all available connection slots are consumed, and no new visitors can get through. A single computer can pull this off against a vulnerable server.
DoS vs. DDoS: One Machine vs. Thousands
A basic DoS attack comes from a single machine running a script or tool. Because all the malicious traffic originates from one IP address, it’s relatively straightforward to identify and block. A distributed denial-of-service attack (DDoS) is fundamentally different in architecture. It uses hundreds, thousands, or even millions of compromised devices spread across the globe, all attacking the same target simultaneously.
These device networks, called botnets, are built by infecting computers, routers, security cameras, and other internet-connected hardware with malware. The infected devices (called bots) sit quietly until they receive instructions from a central command-and-control server operated by the attacker. When the order comes, every bot in the network fires traffic at the target at once. The attack deploys faster, hits harder, and is far more difficult to trace or block because the traffic comes from countless legitimate-looking IP addresses scattered around the world.
During a major DDoS campaign tracked by Cloudflare in late 2024, the average hyper-volumetric attack pushed around 4 terabits per second of traffic, with peaks reaching 24 Tbps. To put that in perspective, most websites operate on connections measured in single-digit gigabits. Even a fraction of that attack volume would be catastrophic for an unprepared target.
What a DoS Attack Looks Like From the Inside
If you’re running a website or service under attack, the signs often start subtly. Pages load slowly, then time out. Specific services like email, login portals, or payment processing stop responding. Traffic dashboards show a sudden spike from unusual geographic regions or a massive increase in requests to a single page. In a SYN flood, you might see connection queues filling up while completed connections drop to near zero. Eventually the server becomes completely unresponsive, even to administrators trying to log in and diagnose the problem.
For end users, the experience is simpler: the site won’t load, transactions fail, and error messages appear. There’s no visible sign of hacking because nothing has been stolen or altered. The service is just gone.
How Targets Defend Against These Attacks
No single defense stops every type of DoS attack, so protection typically involves layering several techniques together.
- Rate limiting restricts how many requests a single IP address can make within a set time window. This keeps any one source from monopolizing server resources. It works well against simpler floods but can be bypassed by distributed attacks using thousands of IP addresses.
- Traffic scrubbing routes all incoming traffic through a filtering service before it reaches the actual server. The scrubbing center analyzes each request, drops the malicious ones, and forwards only clean traffic. Major cloud providers operate these services at a scale large enough to absorb multi-terabit attacks.
- Anycast network diffusion spreads traffic across multiple data centers around the world instead of routing everything to a single location. When an attack hits, the flood gets distributed across many servers in different regions, so no single point gets overwhelmed. This is how large content delivery networks absorb attacks that would flatten a single data center.
Most modern protection combines these approaches with real-time traffic analysis that can distinguish attack patterns from normal visitor behavior. The challenge grows as attacks get larger and more sophisticated: that record-breaking 31.4 Tbps attack lasted only 35 seconds, barely enough time for a human to notice, let alone respond manually. Automated detection and mitigation running at the network edge is what keeps most major services online during these events.