What Is a Denial-of-Service (DoS) Attack?

A web server has a fixed number of connection slots, a finite pool of memory, and a network link that can carry only so many packets per second. A denial-of-service attack does not steal any of that. It just uses all of it. One machine sends a flood of half-open connections, or a single malformed packet the target does not know how to handle, and the service that real users depend on stops answering. Nothing was exfiltrated. The site is simply down.

That is the whole idea of a DoS attack: exhaust a resource until the system can no longer serve legitimate requests. It targets availability, the third leg of the CIA triad, rather than confidentiality or integrity. There is usually no data theft and no lasting change to the data itself. The damage is the outage: lost revenue while a storefront is unreachable, a login portal that times out, an API that drops every call.

This article covers the single-source case. A denial-of-service attack launched from one machine is a DoS attack. When the same flood comes from thousands of compromised machines at once, it becomes a distributed denial-of-service attack, which is a larger problem with its own defenses; that case is covered in the dedicated DDoS article. Here the focus is what a DoS attack is, the categories it falls into, the specific techniques, how to spot one, and how to keep a single attacker from taking a service down.

What is a denial-of-service attack?

A denial-of-service attack is a cyberattack that makes a machine, service, or network unavailable to its intended users by overwhelming it with traffic or by sending input that causes it to crash or hang. The attacker's goal is disruption, not access. Where a data breach is about getting in and taking something, a DoS attack is about keeping everyone else out.

It works by attacking a limit. Every system has finite resources: network bandwidth, the connection table that tracks open sessions, CPU and memory, the thread pool an application uses to handle requests. A DoS attack drives one of those resources to its ceiling. Once the connection table is full or the link is saturated, the server cannot tell a flood packet from a real customer, so it drops both.

The defining trait of plain DoS is the single source. The attack originates from one system or one network connection. That is also its weakness as an attack and the defender's main lever: traffic from a single origin is comparatively easy to identify and block once you spot the pattern. The reason DDoS exists is precisely to remove that weakness by spreading the source across many machines.

DoS vs DDoS

The two are the same attack scaled differently, and the difference decides how you defend.

A DoS attack from one host is constrained by that host's own bandwidth and the target's ability to recognize a single noisy source and drop it. A distributed attack removes both limits: the traffic is the sum of thousands of sources, and because each source looks like an ordinary client, simple source-based blocking no longer works. That distributed case, including how botnets are built and how scrubbing and rate limiting answer them at scale, is the subject of the separate DDoS article. The rest of this piece stays with the single-source attack.

Types of denial-of-service attacks

DoS techniques split into two broad mechanisms: flooding a resource until it saturates, and sending crafted input that breaks the target outright. Knowing which one you are facing changes the response.

Flood attacks are the volume game: overwhelm the link, the connection state, or the application with sheer request count. Crash attacks are the precision game: one or a few specially crafted packets exploit a flaw in how the target parses input, and the service falls over without needing high volume at all. The second category is why a DoS attack does not always require a fast connection. A single malformed packet can be enough if the target has the right bug.

Common DoS attack techniques

The categories above show up as a handful of well-known techniques. These are the ones a defender sees most.

• SYN flood. Abuses the TCP three-way handshake. The attacker sends a stream of SYN packets to open connections but never completes the handshake with the final ACK. Each half-open connection occupies a slot in the server's connection table. Send enough and the table fills, so the server refuses new connections, including legitimate ones. It exhausts connection state, not bandwidth.
• ICMP flood (ping flood). Floods the target with ICMP echo-request (ping) packets, forcing it to spend bandwidth and CPU replying to each one. The smurf attack is a classic amplified variant that sends pings with a spoofed source address to a broadcast range so the replies converge on the victim.
• UDP flood. Sends a high volume of UDP packets to random ports. The target checks each port for a listening application, finds none, and replies with an ICMP "destination unreachable," burning resources on traffic that was never legitimate.
• Ping of Death. A crash attack, not a flood. The attacker sends an oversized or malformed ICMP packet that exceeds the 65,535-byte IP maximum once reassembled from fragments. Older systems mishandled the reassembly and overflowed a buffer, crashing the machine. It originated in the mid-1990s; systems built since the late 1990s validate packet size and are no longer vulnerable, but it remains the textbook example of a single-packet crash.
• Slowloris. An application-layer attack that needs almost no bandwidth. It opens many connections to a web server and sends partial HTTP requests, then keeps each one alive by dribbling out a header line just often enough to avoid a timeout. The server holds every connection open waiting for a request that never completes, and its connection pool exhausts. It is highly effective against thread-per-connection servers and hard to spot because each connection looks slow rather than malicious.
• Buffer overflow. The broadest crash category. The attacker sends more data to a memory buffer than it can hold, corrupting adjacent memory and crashing or hanging the process. Many specific DoS exploits are buffer overflows against a particular service that mishandles oversized input.

Notice the split: SYN, ICMP, and UDP floods are volume attacks against bandwidth or connection state, while Ping of Death, Slowloris, and buffer overflows are low-volume attacks that exploit a specific weakness. The low-volume ones are the reason you cannot defend against DoS by watching traffic rate alone.

OSI layer: volumetric, protocol, and application attacks

Another way to classify these maps them to where on the network stack they hit. It is the framing most mitigation tooling uses.

• Volumetric attacks target raw bandwidth. They aim to saturate the network link so no traffic gets through, legitimate or not. UDP and ICMP floods are volumetric. The measure is bits or packets per second.
• Protocol attacks target the connection state in network equipment and servers, at the transport layer. The SYN flood is the canonical protocol attack: it does not need much bandwidth, it needs to exhaust the connection table. The measure is packets per second.
• Application-layer attacks target the application itself, at layer 7. They mimic legitimate requests but aim to exhaust the server's request-handling capacity. Slowloris and HTTP request floods live here. They are the hardest to detect because each request can look valid, and the volume can be low.

The practical takeaway: a single defense layer does not cover all three. A firewall that rate-limits packets does nothing against a Slowloris attack that sends almost no packets, and an application filter does nothing about a link already saturated upstream.

Signs of a DoS attack

A DoS attack often looks at first like an ordinary performance problem, which is why teams waste time chasing a capacity issue before recognizing an attack. The signals to watch:

• Sudden, unexplained slowness loading a site or service, or opening files on an affected machine.
• Complete unavailability of a particular website or resource, or an inability to reach any site.
• A spike in traffic from a single source IP or a narrow range, or to a single target port or URL.
• A flood of one packet type, such as a surge of SYN or ICMP packets with no completing traffic.
• Connection-table or resource exhaustion on the server: maxed-out connection counts, thread pools, or memory, while CPU may or may not be high.

The distinguishing feature of single-source DoS is concentration. The traffic converges from one origin or toward one narrow target, which is exactly the pattern that separates an attack from a legitimate traffic surge and what makes a plain DoS attack tractable to block.

How to detect and prevent DoS attacks

Defending against single-source DoS rests on two things: seeing the traffic clearly enough to recognize the pattern, and having the controls to drop it once you do. Because the source is one place, blocking is achievable in a way it is not for a distributed attack.

• Establish a traffic baseline. You cannot spot abnormal volume without knowing normal. Continuous monitoring of bandwidth, connection counts, and request rates is what turns "the site feels slow" into "we are seeing 50x normal SYN packets from one subnet."
• Deploy detection at the network edge. A network-based intrusion detection system flags the signatures and anomalies of known floods, including SYN, ICMP, and UDP patterns, and surfaces the source so it can be acted on.
• Filter and rate-limit at the firewall. A firewall is the front-line control for single-source DoS. It can block a malicious source IP outright, rate-limit ICMP and UDP, and cap how many half-open connections one source may hold.
• Harden the network stack. SYN cookies defend the connection table against SYN floods by not allocating state until the handshake completes. Disabling unneeded ICMP responses, dropping fragmented oversized packets, and tightening connection timeouts close the doors specific techniques rely on.
• Patch the targets. Crash attacks like Ping of Death and buffer overflows exploit specific bugs. Keeping operating systems and server software current removes the vulnerability the attack depends on; the reason Ping of Death no longer works is exactly this.
• Configure application timeouts. Slowloris and other slow attacks beat default timeouts. Setting aggressive limits on how long a connection may stay idle or partial, and capping concurrent connections per source, starves the technique.
• Plan for capacity and failover. Overprovisioned bandwidth and connection limits, plus load balancing, raise the volume an attacker must reach before a single source can do damage.

Strong network security ties these together: the monitoring that reveals the pattern, the segmentation that contains the blast, and the edge controls that drop the traffic. For single-source DoS, the chain is short. Spot the origin, confirm it is hostile, and block it.

Frequently asked questions

What is a denial-of-service (DoS) attack?

A denial-of-service attack is a cyberattack that makes a system, service, or network unavailable to its users by overwhelming it with traffic or sending input that crashes it. It targets availability rather than data, so there is usually no theft, just an outage. The attack works by exhausting a finite resource such as bandwidth, the connection table, or the server's request-handling capacity until it can no longer serve legitimate users.

What is the difference between DoS and DDoS?

A DoS attack comes from a single machine or connection, while a distributed denial-of-service (DDoS) attack comes from many compromised machines at once, usually a botnet. The distributed version generates far more traffic and is harder to block because the traffic appears to come from everywhere rather than one identifiable source. Single-source DoS is easier to trace and filter, which is the main reason attackers use the distributed form.

What are the main types of DoS attacks?

They fall into two mechanisms. Flood attacks, such as SYN, ICMP, and UDP floods, send more traffic than the target can handle and exhaust bandwidth or connection state. Crash attacks, such as the Ping of Death and buffer overflows, send malformed input that exploits a bug and brings the service down without high volume. By network layer, they are grouped as volumetric, protocol, and application-layer attacks.

Can a single computer take down a server?

Yes, which is what separates DoS from DDoS. A single machine can exhaust a connection table with a SYN flood, hold a web server's connection pool open with a Slowloris attack, or crash an unpatched service with a single malformed packet. Low-volume techniques like Slowloris and buffer overflows do not need a fast connection at all, because they exploit a specific weakness rather than sheer bandwidth.

How do you stop a DoS attack?

For single-source DoS, identify the source and block it. Baseline normal traffic so abnormal volume stands out, use an intrusion detection system to flag flood signatures, and filter or rate-limit the malicious source at the firewall. Harden the stack with SYN cookies and tight timeouts, patch the bugs that crash attacks exploit, and provision enough capacity and failover that one source cannot easily overwhelm the service.

Does a DoS attack steal data?

Generally no. A denial-of-service attack targets availability, not confidentiality, so its goal is to take a service offline rather than to read or copy data. The damage is the disruption: lost revenue, broken access, and the operational cost of responding. A DoS attack is sometimes used as a distraction to occupy defenders while a separate intrusion goes after data, so an outage should not be assumed to be the whole story.

The bottom line

A denial-of-service attack is the availability attack: exhaust a finite resource until a system stops serving its users. From a single source it works by flooding bandwidth or connection state, or by sending one crafted packet that crashes a service that mishandles it. The techniques range from high-volume SYN, ICMP, and UDP floods to low-and-slow attacks like Slowloris and one-shot crashes like the Ping of Death, which is why traffic rate alone is not a sufficient signal.

The single-source nature of plain DoS is the defender's advantage. The traffic concentrates at one origin, which makes it tractable to baseline, detect, and block at the firewall and the network edge, backed by a hardened stack and patched targets. The hard version of this problem is the distributed attack, where the source is everywhere at once and single-IP blocking fails. That is the DDoS case, and it gets its own treatment.