Denial-of-service attacks — SY0-701

What it is

A denial-of-service (DoS) attack is the prevention of authorized access to resources, or the delaying of time-critical operations. (CNSSI 4009-2015, via NIST CSRC Glossary.) The thing being damaged is availability — the property of ensuring timely and reliable access to and use of information. (FIPS 200, derived from 44 U.S.C. § 3542, via NIST CSRC Glossary.)

A distributed denial-of-service (DDoS) attack is a denial-of-service technique that uses numerous hosts to perform the attack. (CNSSI 4009-2015, via NIST CSRC Glossary.)

Mental model

Think of availability as a pipe delivering water to authorized users. A DoS attack either blocks the pipe or dumps so much garbage into it that real water cannot get through. A single attacker clogging one end of the pipe is a DoS. Thousands of attackers flooding the pipe from all directions simultaneously is a DDoS. The harm — authorized users cannot get through — is identical; only the origin count and scale differ.

A botnet is the common infrastructure behind DDoS: a network of compromised machines (infected via Trojan-style malware) that a threat actor can remotely direct to generate coordinated attack traffic. (NIST SP 1800-15B/C, via NIST CSRC Glossary.)

When to use it

Scenario	DoS	DDoS
Single-origin traffic flood	Yes	No
Traffic from many distributed hosts	No	Yes
Botnet named as attack vehicle	No	Yes
Single host exhausts all server connections	Yes	No
Blocking requires multiple upstream ISPs	No	Yes

The table reflects the NIST CSRC definitions: DoS = prevention or delaying of authorized access; DDoS = that technique executed using numerous hosts.

Common misconception

The exam trap: confusing the attack goal (availability) with the attack method (flooding).

Flooding is the most familiar mechanism, but the NIST definition is goal-oriented — what matters is that authorized access is prevented or delayed. A DoS attack does not have to be a volume flood. Any technique that reliably prevents authorized users from reaching a resource satisfies the definition. Candidates who anchor on "flood = DoS" can be misled by scenarios describing non-volumetric resource exhaustion (for example, consuming all available connection slots with minimal traffic), which is still a DoS because the outcome — authorized users cannot access the resource — is identical.

Similarly, a DDoS is not simply a "bigger DoS" — it is a distributed DoS. The distinguishing criterion under the NIST definition is the use of numerous hosts, not traffic volume. A high-volume attack from a single host remains a DoS, not a DDoS.

How it shows up on the exam

The cognitive target in this domain is classification and threat identification — recognizing attack types from scenario descriptions and mapping them to the correct term.

Signal phrases to watch for:

• "authorized users cannot access" or "service is unavailable" → availability / DoS family
• "numerous compromised machines" or "botnet" → DDoS (numerous hosts, per NIST)
• "time-critical operations are delayed" → still DoS, even without a complete outage (the NIST definition explicitly includes delaying)
• Resource exhaustion described without a named flood pattern → do not exclude DoS; the definition covers any prevention or delay of authorized access

A common candidate error is assuming a DoS requires a recognizable flood pattern. The NIST-grounded definition is outcome-focused: if authorized access is prevented or delayed, the condition meets the definition regardless of mechanism.

Related concepts

• Malware types — botnets, a common DDoS enabler, are assembled via Trojan-category malware
• Ransomware — also targets availability, but through encryption and extortion rather than traffic-based disruption
• Rootkits and logic bombs — logic bombs can trigger a DoS condition at a scheduled time, blending categories