Security for Beginners
by Sergey Okinchuk
Eavesdropping and the Man in the MiddleWhy Input Is Dangerous
Topic 31

Denial of Service

Concept

Not every attack tries to steal or read something. Some just try to knock a system offline — to make it stop working for everyone. There is nothing to copy and nothing to sell; the whole goal is to take a service down.

The name for this is a denial-of-service attack: an attacker floods a system with so much bogus traffic or work that real users can't get through. It is an attack on the third of the three things we protect — availability, the system being there when you need it. When thousands of machines pile on together, it becomes a distributed denial of service, usually shortened to DDoS.

Think of a shop with a single phone line. A thousand fake callers ring it at once, all day, saying nothing useful. No real customer can ever get through to place an order. Nothing has been stolen from the shop — but for as long as the line is jammed, the shop is effectively shut.

How a distributed denial-of-service attack overwhelms a service
Botnetmany hijacked machines
Flood of requestshuge fake traffic
Target overwhelmedcapacity exhausted
Real users blockedservice unavailable

What Is the Attacker Actually After?

The goal of a denial-of-service attack is simply to make a service unavailable. The attacker overwhelms a server or its network so that legitimate requests fail. When Olivia tries to load the site during the attack, her request either times out or never gets answered.

Notice what is missing here: nothing is read, copied, or changed. This is the one major attack family where the damage is pure downtime. A shop's website going dark on its busiest day, a bank's app refusing to load on payday — that is the harm, and for many businesses it is harm enough.

How Does Flooding Work?

Every server has a limit. It can only handle so many requests at the same time before it runs out of memory, connections, or processing power. A flood attack aims straight at that ceiling.

The idea is to bury the target in far more requests than it was ever built to handle. The server spends all its effort trying to answer a tidal wave of fake traffic, and has nothing left for the real visitors. The system isn't broken in the sense of being hacked open — it is simply too busy to serve anyone.

What Makes It "Distributed"?

A single computer usually can't generate enough traffic to drown a serious service on its own. So attackers rarely work from one machine. Instead they use a botnet — a large group of ordinary computers and devices that have been quietly infected and are now controlled by the attacker, often without their owners noticing.

When the order goes out, every machine in the botnet floods the target at the same moment. Thousands of sources, all at once, add up to a wave far bigger than any one of them could produce. That is a distributed denial of service: the same goal as a plain denial-of-service attack, just carried out by a crowd instead of a single attacker.

Why Is It So Hard to Stop?

You might think the defense is obvious: find the attacker's address and block it. That works against one machine. It falls apart against a botnet, because the flood is coming from thousands of different places at once, scattered around the world.

Worse, much of that traffic looks like ordinary visitors. A fake request and a real one can be nearly identical, so a defender can't simply throw away everything suspicious without also turning away genuine users. Serious defense becomes a question of absorbing and filtering enormous volumes of traffic at scale — which is real, specialized work, and squarely the territory of a deeper course than this one.

Common Confusions
  • "A denial-of-service attack steals data." It attacks availability, not confidentiality. The harm is downtime, not theft — though attackers sometimes use one as a smokescreen to distract defenders while they do something else.
  • "DoS and DDoS are unrelated." A DDoS is just a denial-of-service attack carried out by many machines at once. Same goal, much bigger scale.
  • "You can just block the attacker's address." In a distributed attack the traffic comes from countless machines, so there is no single source to block — and the bad traffic often looks like the good.
Why It Matters
  • It shows that "security" includes keeping things running, not just keeping them secret — availability is a goal an attacker can deliberately target.
  • It explains why some outages are not bad luck or a glitch, but a deliberate attack aimed at taking a service down.
  • It ties botnets to a concrete use: those thousands of hijacked machines are the muscle behind the largest of these attacks.

Knowledge Check

A popular shopping site goes completely dark during a flood of fake traffic, but afterward no customer data turns out to have been stolen or changed. Which of the three things we protect did this attack target?

  • Availability — the system being up and reachable
  • Confidentiality — keeping the data secret
  • Integrity — keeping the data correct
  • None — flooding a site with fake traffic is more of a technical glitch than a real security attack

What is the difference between a denial-of-service attack and a distributed denial-of-service attack?

  • A DDoS is designed to steal data and credentials, while a plain DoS just takes the service temporarily offline
  • A DDoS uses many machines at once; a DoS can come from one source
  • They are unrelated attacks that happen to have similar names
  • A DDoS attacks passwords, while a DoS attacks the network

Why can't defenders usually stop a large distributed attack just by blocking the attacker's address?

  • Because blocking any address is against the law
  • Because defenders can't type in each attacker's address fast enough to keep pace with the incoming flood
  • Because the traffic comes from thousands of scattered machines
  • Because attackers never have an address at all

You got correct