Certified - CompTIA Network +

Availability is one of the three pillars of the CIA triad, and when it’s compromised, even the most secure and well-configured systems can become useless. If users can't access services, applications stall, revenue is lost, and trust begins to erode. That’s why denial-of-service attacks are such a dangerous and persistent threat. These attacks target network resources, applications, or infrastructure components with the goal of overwhelming them, preventing legitimate users from accessing critical systems. DoS attacks don’t need to steal data to cause damage—they succeed simply by making systems unavailable.
This episode focuses on how denial-of-service attacks work, the differences between single-source and distributed attacks, the symptoms administrators should look for, and the tools and strategies used to prevent or mitigate them. From protocol-based exploits to massive distributed floods, DoS attacks come in many forms but share the same goal: disrupt availability. These topics are common on the Network Plus exam and show up in real-world incidents on a regular basis. Knowing how to detect, interpret, and defend against these threats is a key skill for any network professional.
A denial-of-service (DoS) attack occurs when a system, service, or network is overwhelmed by excessive requests or malicious traffic, rendering it unable to respond to legitimate users. These attacks can be simple—sending too many packets in a short period—or sophisticated, exploiting bugs in services to crash them. What matters is the result: a loss of service availability. DoS attacks can be launched manually or automated using simple scripts. On the exam, you’ll need to define what a DoS attack is and explain how it undermines availability.
DoS attacks typically exploit a protocol or an application’s limitations. For example, a web server might be hit with thousands of simultaneous HTTP requests, exhausting its ability to process connections. Or a protocol like TCP might be manipulated to consume memory or CPU without completing the expected handshake. These attacks aren’t always high-volume—they can involve carefully crafted requests that drain system resources or trigger unexpected behavior. On the exam, be prepared to match different types of attacks to their effect on resources.
Common symptoms of DoS attacks include slow response times, complete timeouts when attempting to access services, CPU or memory usage spiking on network devices, or sudden drops in performance. You may also see unusual logs with repeated connection attempts, errors, or unexpected traffic patterns. In severe cases, applications may crash or reboot, and entire segments of the network may become inaccessible. Exam questions may describe symptoms and require you to identify that a DoS attack is likely underway.
A distributed denial-of-service (DDoS) attack is a more powerful version of a DoS attack. Instead of coming from one source, the attack is launched from hundreds or thousands of devices spread across the Internet. This creates a flood of traffic that’s much harder to block because it doesn’t come from a single IP or location. DDoS attacks often rely on botnets—networks of compromised machines controlled remotely by attackers. The massive scale of a DDoS attack increases both its impact and its ability to evade simple defenses. On the exam, understanding the distributed nature of DDoS is essential.
Botnets are groups of infected devices—such as computers, servers, or IoT systems—that are controlled by an attacker, often through malware. Once these devices are infected, they can be remotely triggered to send traffic to a target, overwhelming it from many directions at once. Because the traffic comes from so many sources, it’s hard to distinguish legitimate requests from malicious ones. Botnets may include devices spread across dozens of countries. For the exam, be able to explain how botnets amplify the effect of denial-of-service attacks.
There are multiple types of DDoS attacks, each targeting a different layer of the OSI model. Volumetric attacks flood the target with high-bandwidth traffic, overwhelming Internet connections or routers. Protocol attacks exploit resources in network stacks—such as sending malformed packets to consume processing power. Application-layer attacks focus on specific services like web servers, sending requests that appear legitimate but exhaust backend resources. These attacks are particularly hard to detect because they mimic real user behavior. The exam may present scenarios where you need to match symptoms to the correct attack type.
Amplification attacks are a particularly efficient form of DDoS. They work by sending small requests to open services like DNS or NTP that generate much larger responses. The attacker spoofs the victim’s IP address in the request, causing the service to send its reply to the target. This amplifies the attack volume, sometimes by factors of 50 or more, making small attacks extremely destructive. The exam may ask you to identify amplification attacks and understand how they misuse public-facing services.
One common DoS technique is the SYN flood. This attack exploits the TCP three-way handshake by sending a large number of SYN packets to initiate a connection but never completing the handshake. The target allocates memory and waits for completion, but the connection is never finalized. Over time, the connection table fills up, and legitimate connections are dropped. This is a classic example of resource exhaustion at the protocol level. On the exam, be ready to recognize SYN floods as a specific subtype of protocol-based DoS.
DoS and DDoS attacks can have a serious impact on network devices. Routers and firewalls may become overwhelmed with traffic, forcing them to reboot or drop packets. Switches may fail to forward traffic correctly. Load balancers and application servers may crash under pressure, making websites or services unreachable. In some cases, even upstream carriers may be affected. You’ll need to understand how these attacks affect each layer of the network and identify the correct countermeasures when prompted on the exam.
For more cyber-related content and books, please check out cyber author dot me. Also, there are other podcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Rate limiting and throttling are among the most straightforward but effective defenses against DoS and DDoS attacks. These mechanisms restrict how many requests a device, user, or IP address can send to a system in a given time frame. By limiting the rate of inbound connections or application-layer requests, services can slow down attackers without cutting off legitimate users entirely. Rate limits are often implemented at the firewall, proxy server, or application level. On the Network Plus exam, you may be asked how rate limiting helps maintain availability during flooding scenarios and where it fits in the mitigation chain.
Blackhole and sinkhole routing are network-level techniques that help contain the spread of DDoS traffic. In blackhole routing, traffic destined for a particular target is routed to a null interface—essentially deleting the traffic rather than delivering it. This is typically used when an attack is so overwhelming that there’s no other way to prevent collateral damage. Sinkhole routing is more advanced—it redirects malicious traffic to a controlled environment for analysis or monitoring. ISPs often automate blackhole routing to defend customer networks. The exam may ask you to recognize these tactics and describe their use in real-time mitigation.
Geo-blocking and IP filtering are tools used to control where traffic is accepted from. If a DDoS attack originates mostly from a particular region or set of known malicious IP addresses, those sources can be blocked outright. This reduces the overall traffic volume and may allow services to remain operational for trusted users. However, these methods are not foolproof. IP spoofing and distributed botnets make it difficult to determine the true origin of traffic. On the exam, be prepared to explain the benefits and limitations of IP filtering and regional blocking in denial-of-service defense.
Cloud-based DDoS protection services have become a go-to solution for mitigating large-scale attacks. These services sit in front of the customer’s infrastructure, inspecting and filtering traffic before it reaches the network. They use massive bandwidth capacity and distributed filtering systems to absorb and scrub attack traffic. Many content delivery networks (CDNs) and managed security providers offer DDoS protection as a service. These systems scale automatically and are particularly effective against volumetric attacks. On the exam, expect to recognize when cloud-based DDoS protection is appropriate and what advantages it offers over on-prem solutions.
Behavioral anomaly detection plays a major role in identifying DoS and DDoS attacks early. These systems monitor traffic baselines over time—tracking normal patterns of user behavior, connection volume, and request rates. When deviations occur, such as a sudden spike in failed connections or unexpected request types, alerts are triggered. Anomaly detection can identify attacks that don’t follow predictable patterns or that bypass signature-based systems. For the exam, anticipate questions that contrast anomaly-based detection with traditional intrusion detection methods and highlight its role in dynamic threat recognition.
Log analysis is critical for identifying DoS indicators, especially during post-event investigation or early-stage detection. Reviewing firewall, web server, and authentication logs helps reveal patterns such as repeated requests from a single source, uncompleted handshakes, or massive numbers of requests to a single endpoint. These signs can indicate a flooding or slow drip DoS attack in progress. Correlating logs across time and devices helps determine whether a disruption was caused by a legitimate surge in traffic or by malicious intent. On the exam, you may be asked to analyze log samples or determine which logs help identify specific symptoms of an ongoing attack.
The Network Plus exam emphasizes not just definitions, but practical application. You'll be expected to know the differences between DoS and DDoS, match symptoms like CPU spikes or network slowdowns to likely attack types, and identify which tools—such as rate limiting, anomaly detection, or geo-blocking—can mitigate the impact. You’ll also be asked to match attack types to OSI layers, such as SYN floods operating at the transport layer, or HTTP floods at the application layer. Understanding how these attacks work, how they’re detected, and how they’re stopped is central to securing availability.
To summarize, denial-of-service and distributed denial-of-service attacks aim to make services unusable, not by breaching defenses, but by overwhelming them. They can target bandwidth, protocols, or applications, and can be launched by a single actor or thousands of distributed devices. Detection and response rely on monitoring, logging, automation, and layered defenses. Whether it’s throttling traffic, redirecting bad packets, or filtering malicious sources, a successful defense requires both strategy and technology. For the exam and for real-world network defense, mastering these tools and concepts is essential.
To conclude Episode One Hundred Forty-Seven, protecting availability is a top priority for network administrators. DoS and DDoS attacks threaten this availability directly, using brute force or protocol manipulation to render services unreachable. Understanding how these attacks function, recognizing the signs of an ongoing flood, and applying appropriate defenses ensures that your network stays online when it matters most. These are high-priority topics on the Network Plus exam, and they’re a daily concern in any environment that depends on stable, secure connectivity.