Denial-of-Service (DoS) Attacks

Bart Lenaerts-Bergmans - April 11, 2023

What Is a Denial-of-Service (DoS) Attack?

A Denial-of-Service (DoS) attack is a cyberattack that floods a machine or network with false requests in order to disrupt business operations. In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network.

While most DoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money and other resources in order to restore critical business operations.

How Do DoS Attacks Work?

A DoS attack is most commonly accomplished by flooding the targeted host or network with illegitimate service requests. The hallmark of these attacks is the use of a false IP address, which prevents the server from authenticating the user. As the flood of bogus requests are processed, the server is overwhelmed, which causes it to slow and, at times, crash—at which point, access by legitimate users is disrupted. In order for most DoS attacks to be successful, the malicious actor must have more available bandwidth than the target.

Types of DoS Attacks

There are two main types of DoS attacks:

  1. Those that crash web-based services, called buffer overflows.
  2. Those that flood them, called flood attacks.

Within those two categories, there are different subsets, which vary based on the adversary’s methods, the equipment that is targeted and how the attack is measured.

1. Buffer OverflowsBuffer overflows is the most common form of DoS attack. In this type of exploit, the adversary drives more traffic to a network address than the system is capable of handling. This causes the machine to consume all available buffers, or memory storage regions that temporarily hold data while it is being transferred within the network. A buffer overflow occurs when the volume of data exceeds all available bandwidth, including disk space, memory, or CPU, resulting in slow performance and system crashes.Stack Overflow: Most common type of buffer overflow attack where a computer program tries using memory space in the call stack that has been allocated to. It overrides the boundaries in which the buffer has been on.

Unicode Overflow: It creates a buffer overflow through Unicode, where any character can be created. The attack comes into play when Unicode is inserted on an expected ASCII input. Unicode and ASCII are encoding standards. They allow computers to represent text.
2. Flood AttacksFlood attacks occur when the system receives too much traffic for the server to manage, causing them to slow and possibly stop.ICMP Floods: Commonly called smurf or ping attacks, exploit misconfigured network devices. In these attacks, the adversaries deploy spoofed packets — or the false IP addresses — that “ping” each device on the targeted network without waiting for a reply. As the network manages the surge in traffic, the system will slow and possibly stop.

SYN Flood: It sends a connection request to a server, but never completes the metaphorical “handshake” with the host. These requests continue to flood the system until all open ports are saturated, leaving no available avenues for access for legitimate users.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How Can You Identify a DoS Attack?

The signs of a DoS attack can be observed by any network user. Common indicators include:

  • Slow network performance for common tasks, such as downloading/uploading files, logging into an account, accessing a website or streaming audio or video content.
  • Inability to access online resources, including websites or web-based accounts, such as bank accounts, investment portfolios, education materials or health records.
  • An interruption or loss in connectivity of multiple devices on the same network.

Unfortunately, for most system users, the symptoms of a DoS attack often resemble basic network connectivity issues, routine maintenance or a simple surge in web traffic — prompting many to disregard the issue.

DoS vs DDoS

The main difference between a Distributed Denial-of-Service (DDoS) attack and a DoS attack is the origin of the attack. DDoS is an orchestrated attack launched from multiple locations by several systems simultaneously, whereas a DoS attack is singular in nature.

Typically, a DDoS attack is considered to be more sophisticated and poses a much larger threat to organizations because it leverages multiple devices across a variety of geographies, making it more difficult to identify, track and neutralize. Most commonly, DDoS attackers leverage a botnet — a network of compromised computers or devices that are supervised by a command and control (C&C) channel — to carry out this type of synchronized attack.

How can you reduce the risk of a DoS attack

Robin Jackson, principal consultant for CrowdStrike, offered organizations the following tips to prevent, detect and remediate cyberattacks, including DoS attacks. Some of the tips he mentions in the blog post include:

  • Establish consistent and comprehensive training for employees about how to recognize common attack indicators and promote responsible online activity.
  • Verify extortion attempts when adversaries threaten massive DoS attacks. A cybersecurity partner could help the organization quickly investigate the threat and gauge their ability to disrupt operations — potentially saving the organization significant money in the event the threat is not credible.
  • Conduct routine tabletop exercises and penetration testing to improve prevention capabilities by identifying weaknesses in the network architecture.
  • Segregate backups to prevent enumeration if and when ransomware begins to encrypt.
  • Encrypt sensitive data when it is at rest and in motion to reduce the risk of data loss, leakage or theft.
  • Ensure the best instrumentation in order to improve network visibility.
  • Create a communications plan so that your company can manage media inquiries, customer questions and other stakeholders issues quickly and clearly.
  • Contact law enforcement so that officials have more information about cyber criminals and their tactics.

Learn More

Learn how the CrowdStrike Falcon® Platform helped identify a DoS attack affecting a number of websites. Read: Compromised Docker Honeypots Used for DoS Attack


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.