When you open a website and it suddenly won't load, not because it's broken, but because it's overwhelmed and there's a good chance a Denial-of-Service (DoS) attack is involved. These attacks don't usually steal data or break into accounts. Their goal is simple, make a service unavailable to real users by exhausting connections, bandwidth, or computing resources.

Below are four classic DoS techniques, now with real-world examples and practical defenses organizations use today

SYN Flood Attack: Breaking the Connection Process

A SYN flood targets the normal process computers use to establish a TCP connection.

None
  • Attackers send massive numbers of connection requests.
  • The server responds and waits for confirmation.
  • The confirmation never comes, leaving thousands of half-open connections.

Eventually, the server's connection queue fills up and legitimate users can't connect.

Real-world example Financial institutions and payment gateways have repeatedly been hit with SYN flood campaigns during high-traffic shopping periods and political events. Attackers often combine SYN floods with other traffic floods to maximize disruption while masking the main entry point of the attack.

Defenses

  • SYN cookies: The server avoids allocating memory until a connection is fully confirmed.
  • Connection rate limiting: Limits how quickly new connections can be created from one source.
  • Firewalls and load balancers: Filter suspicious traffic before it reaches the server.
  • DDoS mitigation services: Absorb and analyze connection floods at network edges.

Slowloris Attack: Winning by Being Slow

Slowloris is unusual because it doesn't rely on heavy traffic. It exploits how web servers manage open connections.

How it works

  • The attacker opens many HTTP connections.
  • Sends partial requests extremely slowly.
  • The server keeps connections open, waiting for completion.

Eventually, all available connection slots are occupied.

Real-world example Slowloris gained notoriety after successfully disrupting several high-profile web servers configured with limited concurrent connections, including government and media websites during testing demonstrations. Variants of this technique still appear in targeted disruption attempts against smaller organizations without advanced traffic management.

Defenses

  • Timeout limits: Servers close connections that send data too slowly.
  • Connection limits per IP address: Prevent one source from occupying too many slots.
  • Reverse proxies (e.g., Nginx, cloud load balancers): Buffer and manage incoming requests efficiently.
  • Web application firewalls (WAFs): Detect abnormal connection behavior.

ICMP Flood Attack: Overloading with Network Pings

ICMP is used for diagnostic communication (like checking whether a system is reachable).

None

How it works

  • Attackers send huge numbers of ICMP echo requests ("pings").
  • The target attempts to respond to each one.
  • Bandwidth and processing power become overwhelmed.

Real-world example ICMP floods have been widely used in large-scale distributed attacks against gaming platforms and online services, where attackers leverage botnets to generate massive volumes of traffic that saturate network links rather than application servers.

Defenses

  • Rate limiting ICMP traffic: Restricts how many requests are processed.
  • Network filtering and access control lists: Block unnecessary ICMP from external sources.
  • Traffic scrubbing centers: Filter malicious packets before they reach the target network.
  • Over provisioned bandwidth: Helps absorb temporary traffic spikes.

UDP Flood Attack: Overwhelming with Random Traffic

UDP floods exploit the connectionless nature of UDP communication.

None

How it works

  • Attackers send large volumes of UDP packets to random ports.
  • The target processes each packet and may respond with error messages.
  • CPU and network capacity become saturated.

Real-world example Large distributed attacks against DNS providers and online services have used UDP floods to overwhelm infrastructure. Because many internet services rely on UDP (like DNS and streaming), these floods can disrupt broad portions of online activity.

Defenses

  • Traffic filtering and geo-blocking: Drop suspicious or irrelevant packets.
  • Anycast network distribution: Spreads traffic across multiple data centers.
  • DDoS protection platforms: Detect abnormal traffic patterns automatically.
  • Disable unused UDP services: Reduces attack surface.

Defense and Prevention Strategies: The Big Picture

Organizations defend against DoS attacks using layered protection that combines network filtering, resilient infrastructure, and smart application controls. At the network level, firewalls, intrusion prevention systems, and traffic rate limiting help block or slow suspicious traffic before it reaches critical systems, while specialized DDoS mitigation services and traffic scrubbing centers absorb and filter large attack volumes. Infrastructure resilience also plays a major role : load balancers, content delivery networks, redundant servers, and scalable cloud resources distribute traffic so no single system becomes a bottleneck. At the application level, servers enforce connection timeouts, limit how many requests each user can make, and rely on web application firewalls to detect abnormal behavior. Continuous monitoring and automated anomaly detection allow security teams to respond quickly by rerouting traffic or activating additional defenses, ensuring services remain available even during large-scale attacks.

Why Understanding DoS Attacks Matters

DoS attacks target the availability of digital services , a critical pillar of cybersecurity. Even simple techniques can cause major disruptions when scaled through botnets or combined into multi-vector attacks.

By understanding how these attacks work and how they're mitigated, organizations and individuals alike gain insight into why modern online services rely on distributed infrastructure, traffic filtering, and constant monitoring to stay available.