Denial of Service (DoS)
detect, understand, remediate
Denial of service attacks exhaust application resources through crafted requests, algorithmic complexity abuse, or resource flooding, making your service unavailable to legitimate users.
No credit card required. Free plan available forever.
What is denial of service?
Denial of Service (DoS, CWE-400) is a category of attacks that aim to make an application, server, or network resource unavailable to its intended users. Rather than stealing data or gaining unauthorized access, DoS attacks disrupt availability by exhausting system resources such as CPU, memory, disk I/O, network bandwidth, or application-level resources like database connections and thread pools. For businesses that depend on web application uptime, even brief periods of unavailability can result in significant revenue loss and reputational damage.
Application-layer DoS attacks are especially concerning because they can be launched with minimal resources. Unlike volumetric DDoS attacks that require botnets to flood networks with traffic, a single crafted request to a vulnerable endpoint can consume disproportionate server resources. These include algorithmic complexity attacks (such as hash collision attacks or ReDoS), unbounded database queries, and resource-intensive operations triggered by missing rate limiting.
Protecting against denial of service requires a defense-in-depth approach that spans infrastructure, application, and network layers. Rate limiting, request validation, resource quotas, and architectural patterns like circuit breakers all play a role. Organizations that rely solely on network-level protections often remain vulnerable to sophisticated application-layer attacks that look like legitimate traffic to traditional firewalls and load balancers.
How it works
Identify resource-intensive endpoint
The attacker discovers an API endpoint, search function, file upload handler, or computation that consumes significant server resources (CPU, memory, database queries, or disk I/O).
Craft amplification payload
A request is designed to maximize resource consumption: deeply nested JSON, regex-triggering strings, wildcard searches, oversized uploads, or queries that force expensive database operations.
Flood or exhaust resources
The attacker sends repeated requests to the vulnerable endpoint, either at high volume or with payloads that each consume disproportionate resources, rapidly depleting available capacity.
Service becomes unavailable
Server resources are exhausted, causing the application to slow dramatically, return errors, or crash entirely. Legitimate users are unable to access the service until the attack stops or resources are recovered.
Common causes
Missing rate limiting
Endpoints that do not enforce request rate limits allow attackers to send unlimited requests, overwhelming the application with legitimate-looking traffic at unsustainable volumes.
Regular expression DoS (ReDoS)
Complex regular expressions with nested quantifiers and overlapping groups cause catastrophic backtracking when processing crafted input, consuming CPU for seconds or minutes per request.
Unbounded queries and operations
Database queries without pagination limits, search functions without result caps, or recursive operations without depth limits allow a single request to consume unbounded resources.
Large file uploads without restrictions
File upload endpoints that accept arbitrarily large files without size limits, type validation, or concurrent upload restrictions can exhaust disk space, memory, or processing capacity.
How to detect it
Automated detection
- SecPortal's external scanner tests for missing rate limiting on authentication endpoints, API routes, and resource-intensive operations
- Load testing and stress testing tools (k6, Locust, Artillery) identify endpoints that degrade or fail under moderate concurrent load, revealing resource bottlenecks
- Code scanning detects vulnerable regex patterns susceptible to ReDoS, unbounded database queries missing LIMIT clauses, and file upload handlers without size restrictions
Manual testing
- Send rapid bursts of requests to each endpoint to verify that rate limiting is enforced and returns appropriate 429 (Too Many Requests) responses
- Submit deeply nested JSON, extremely long strings, and specially crafted regex-triggering inputs to test for algorithmic complexity vulnerabilities
- Test file upload endpoints with oversized files and concurrent uploads to verify that size limits, timeout controls, and resource quotas are properly enforced
How to fix it
Implement rate limiting on all endpoints
Apply request rate limits to every API endpoint, with stricter limits on authentication, search, and resource-intensive operations. Use sliding window or token bucket algorithms and return 429 status codes when limits are exceeded.
Enforce request size and complexity limits
Set maximum sizes for request bodies, JSON nesting depth, query string length, and file uploads. Reject oversized or overly complex payloads before they reach processing logic.
Set timeouts on all operations
Configure timeouts for database queries, external API calls, file processing, and computation. Use per-request deadlines that terminate any operation exceeding its allocated time budget.
Deploy CDN and WAF for traffic filtering
Use a CDN with built-in DDoS protection to absorb volumetric attacks at the network edge. Configure WAF rules to detect and block application-layer attack patterns before they reach your servers.
Implement circuit breakers and graceful degradation
Design systems to degrade gracefully under load. Use circuit breaker patterns to temporarily disable failing dependencies, and implement queue-based processing for resource-intensive operations to prevent cascading failures.
Compliance impact
Related vulnerabilities
Find DoS vulnerabilities in your application
SecPortal checks for missing rate limits, unbounded queries, and resource exhaustion vectors. Start free.
No credit card required. Free plan available forever.