Denial Of Service, between Wannabes' outdated myth and Professionals' sciences. By CEO of TIA

Unfortunately, many self-proclaimed "cybersecurity experts" (AKA Wannabes), still cling to this idea — misunderstanding the evolved sophistication of Denial-of-Service (DoS) tactics in modern infrastructure. This article is a wake-up call — to separate professionals from wannabes, and to bring clarity to what modern DoS attacks really look like.

DoS Today: Not About Volume, But About Strategy

While volumetric attacks (like UDP floods) still exist — mostly as part of large-scale DDoS attacks — the real power of a modern DoS lies in precision and abuse of logic, not just traffic.

A true professional understands that resource exhaustion, state manipulation, and application-level abuse can take down systems with minimal bandwidth.

TCP State Exhaustion – Death by Half-Connections

DoS can exploit TCP’s connection-handling behavior, not by flooding with data, but by abusing how servers hold state.

Example:

Attackers send a flood of TCP SYN packets, but never complete the handshake.

The server, waiting for the ACKs, keeps these half-open connections in memory.

Eventually, its connection queue fills up, making it unreachable to legitimate clients.

This isn’t about traffic — it’s about starving the system’s ability to accept new connections.

Application Layer Abuse (Layer 7)

Attacks on Layer 7 are especially lethal because they mimic real user behavior, making them hard to detect and block.

Examples:

Time-Based SQLi DoS

Injecting payloads like SLEEP(9999999) into SQL queries causes the database to hang, tying up threads or worker pools.

Stored XSS with External Calls

A simple payload like <img src="http://nonexistent.domain/image.jpg"> forces the server/browser to make unresolvable requests, causing delays or crash loops.

Regex DoS (ReDoS)

Poorly designed regex patterns can be abused to create catastrophic backtracking, consuming CPU and freezing the application.

Chunked Transfer Abuse

Some techniques keep HTTP connections open indefinitely by sending headers or body bytes extremely slowly, starving web server threads.

Queue Starvation – Death by Idle Waits

Web servers, DBs, and backend services all rely on queues. These queues are finite. Holding up these queues with long-running or malicious requests leads to complete resource starvation.

Examples:

Holding onto POST requests without completing them.

Submitting form data that triggers long processing cycles or infinite loops.

Creating backend loops via API abuse.

It’s not about "sending more" — it’s about strategically tying up limited slots.

Outbound Dependency Exploitation

Many systems make outbound HTTP/DNS/file calls based on user input or stored data.

Examples:

SSRF payloads causing services to hang while accessing unreachable internal resources.

XML External Entities (XXE) calling slow remote endpoints.

Stored fields causing auto-fetching of large or nonexistent remote resources.

Even one malicious payload can take down an internal component if that call is blocking or recursive.

The Real Difference: Professionals Exploit Architecture, Not Bandwidth

Wannabes:

“Just send more packets, bro.”

Professionals:

“Let’s hold TCP state open, block the database queue with time-based injections, and stall the backend using logic-layer abuse.”

The difference is depth. True cybersecurity expertise lies in understanding how infrastructure behaves under pressure — and then using that knowledge strategically to simulate or defend against real threats.

Here's an advice:

If you're working in cybersecurity and still think DoS is just "about traffic volume" — it's time to evolve. The game has changed.

As professionals, we must educate, simulate, and defend against these advanced forms of denial — because attackers already know them. And if we don’t start acknowledging this complexity, we’ll keep building systems that crumble under a well-placed SLEEP() / WAITFOR DELAY function or a single <img> tag.

‍

By Elie Ghabash.

‍