Denial of Service (DoS)
An attack that aims to render services unreachable by exhausting resources or saturating network capacity. Impacts availability, operations, and business continuity.
Classification
- ComplexityHigh
- Impact areaBusiness
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Extended outages with revenue loss.
- Reputational damage and customer churn.
- Misconfiguration of mitigations can worsen the situation.
- Combine automated detection with escalating mitigations.
- Implement traffic shaping and prioritize critical paths.
- Perform regular incident drills and postmortem analyses.
I/O & resources
- Traffic and flow logs (NetFlow, sFlow)
- Application and WAF logs
- Baseline traffic profiles and SLAs
- Alerts and incident tickets
- Applied throttling or blocking rules
- Post-incident analysis and lessons-learned report
Description
Denial of Service (DoS) is an attack category that aims to render services unavailable by exhausting resources or network capacity. It includes volumetric, protocol and application-layer techniques and impacts availability, security and business continuity. Mitigation requires detection, rate limiting, architectural resilience and coordinated incident response.
✔Benefits
- Reduced downtime and improved business continuity.
- Improved customer trust through more stable services.
- Lower risk of financial loss and SLA violations.
✖Limitations
- Complete protection is rarely possible; very large attacks can overwhelm resources.
- False positives can impact legitimate traffic.
- Costs for permanent high availability and DDoS services can be significant.
Trade-offs
Metrics
- Mean Time to Detect (MTTD)
Average time to detect a DoS incident.
- Mean Time to Mitigate (MTTM)
Average time until mitigation measures are effective.
- Availability rate during incident
Percentage of time critical services remain available during an attack.
Examples & implementations
Dyn DDoS 2016 (Mirai)
Large-scale botnet attack using IoT devices that targeted DNS infrastructure and temporarily disrupted many services.
Estonia 2007
Politically motivated DDoS campaigns against government and media sites causing significant infrastructure strain.
Targeted API attacks
Several companies documented targeted, resource-intensive API requests that led to outages and performance degradation.
Implementation steps
Establish normal traffic baselines and define thresholds.
Configure monitoring and alerting rules; prepare playbooks.
Implement protection layers: CDN, WAF, rate limiting, backpressure.
Conduct regular tests and simulations to validate measures.
⚠️ Technical debt & bottlenecks
Technical debt
- Monolithic components without horizontal scaling.
- Incomplete observability and missing logs.
- Outdated network devices with limited filtering capacity.
Known bottlenecks
Misuse examples
- Accidentally blocking legitimate traffic due to overly strict filters.
- Relying on costly always-on services without needs analysis.
- Disabling detection to boost performance and missing attacks.
Typical traps
- Lack of coordination with upstream providers delays mitigation.
- Overreliance on signature-based detection alone.
- Untested playbooks fail to work reliably in live incidents.
Required skills
Architectural drivers
Constraints
- • Limited budgets for permanent DDoS defense
- • Legacy infrastructure without horizontal scaling
- • Legal restrictions on traffic filtering