DoS incidents are designed to disrupt access to online systems by flooding them with traffic or overwhelming key infrastructure. They can be disruptive, costly, and difficult to manage in real time, especially when they happen without warning. The best way to stay ahead of them is to prepare before anything happens.
By understanding your exposure, identifying which digital assets matter most, and setting up defensive measures early, you give your team a much better chance of staying online. This includes configuring technology to respond automatically, planning how your team will coordinate during an attack, and making sure nothing else gets missed in the pressure of the moment.
What denial of service (DoS) is
Denial-of-service (DoS) attacks try to overload your systems and take your services offline. These attacks can disrupt your operations and have a major impact on your business, so it’s important to be prepared.
There are three main types of DoS attacks:
- Volumetric attacks flood your internet connection with traffic, overwhelming your available bandwidth.
- Protocol attacks target and exhaust resources in your network infrastructure, such as firewalls or load balancers, by sending large volumes of packets.
- Application layer attacks try to crash a specific application, like a website, by flooding it with valid requests or a few carefully crafted malicious ones.
When DoS attacks come from multiple sources at once, they’re known as distributed denial-of-service (DDoS) attacks.
How to prepare for denial-of-service incidents
Protecting against different types of DoS attacks requires a tailored approach. Each type targets a different part of your system, so your response needs to reflect that.
DoS attacks can disrupt your business, especially if they happen during busy periods or affect critical services. Even short outages can have knock-on effects that take time and money to fix.
You can reduce the impact of these attacks by planning ahead. The steps below will help you get started.
Understand your environment
Start by identifying which of your systems and services are accessible from the internet. These are often the first targets of a DoS attack:
- Customer-facing websites or services — these include your public website, online portals, or booking systems.
- Internet-dependent staff tools, like webmail or VPNs — if these go offline, your team may not be able to work effectively.
- Supporting infrastructure services — services like DNS are critical to keeping your websites and tools online.
- Network equipment at the public edge — this includes firewalls, gateways, and routers that interface directly with the internet.
- Cloud-based systems or third-party services — if you’re using infrastructure-as-a-service (IaaS), make sure you understand what’s exposed.
Identify what needs protection
Once you understand your environment, the next step is to work out which systems and services are most critical to your business. These are the ones that need the strongest protection from DoS attacks.
Ask yourself the following questions.
- Would taking this system or service offline affect your customers or staff? Consider whether it’s essential for people to access this tool to do their jobs or interact with your organisation.
- Can your business still function if this service goes offline? Think about how long you could keep operating without it.
- How long could you withstand an outage? For example, could you manage for minutes, hours or longer — and what happens if it stretches beyond that?
- Would an attack on one system affect others? For example, if your website and your internal systems share the same internet connection, a volumetric attack on the website might take both offline.
Once you’ve worked out which systems and services are critical, choose the right controls to protect them. The type of DoS attack you might face determines the kind of protection you’ll need:
- Web services are vulnerable to application layer attacks. Use controls that help filter out bot traffic and prioritise real users.
- Public-facing infrastructure is vulnerable to protocol attacks. Use tools that can detect early signs of resource exhaustion before a host crashes.
- All internet connections are vulnerable to volumetric attacks. Use controls that can absorb or redirect large surges in traffic — often in partnership with your internet service provider.
Talk to your service provider
Your internet or network provider plays a key role in protecting your organisation from DoS attacks, especially volumetric attacks that flood your connection with traffic. Because this traffic passes through their network before it reaches you, they’re well placed to detect and block it early.
Many providers offer a scrubbing service. This filters out malicious traffic while letting legitimate traffic through, helping your services stay available during an attack.
These protections often come at an additional cost. Talk to your provider early to understand what options are available and which ones suit your needs. Some protections need to be in place before an attack starts, so don’t leave it until it’s too late.
Ask how much traffic your provider can handle before their systems, and in turn yours, start to feel the impact.
Implement additional controls
To reduce the impact of a DoS attack, you’ll need to put controls in place that can absorb or deflect traffic before it reaches your systems.
This could involve adding a service or device upstream between the internet and your own systems. For example, you might use a content distribution network (CDN), a specialised network appliance, or a third-party managed service to filter or reroute malicious traffic.
These types of controls help keep your systems online by reducing the load before it hits your infrastructure.
You’ll find more guidance about how to mitigate DoS attacks in the next section.
Document your incident response plan
Once you’ve put the right controls in place to protect your critical websites and services, make sure your incident response plan is up-to-date and effective.
DoS attacks provide a useful case study for planning. Because they’re disruptive, time-sensitive, and often public-facing, they can clarify how your organisation should respond under pressure.
Use this opportunity to walk through the steps your team would take during an attack. That includes how you’ll communicate, who is responsible for what, and how you’ll coordinate with your service provider.
You’ll find guidance on creating a strong response plan at Own Your Online.
Create an incident response plan | Own Your Online External Link
How to mitigate denial-of-service incidents
There’s no one-size-fits-all response to a DoS attack. How you respond depends on the protections you’ve put in place, and the trade-offs you’re willing to make between system availability and usability.
During an attack, you won’t have time to weigh up your options. That’s why it’s important to make those decisions ahead of time. Plan your response, and make sure your mitigation controls are configured to activate automatically when needed. Your team should also know exactly what to do when an incident occurs.
It’s also critical to tune these controls to your environment. If they’re not set up correctly, a small number of requests to resource-intensive services could take a system offline, even while your protection tools fail to detect anything unusual.
Types of mitigation controls
There are several ways to reduce the impact of a DoS attack. The right choice depends on your systems, your service needs, and how much risk you’re willing to accept.
Here are some of the most common mitigation controls.
Traffic scrubbing
Some distributed denial-of-service (DDoS) protection providers offer traffic scrubbing services. These services act as intermediaries — traffic passes through their network before reaching yours, and they remove, or scrub, malicious traffic along the way.
Some services focus on volumetric attacks, while others also help protect against protocol or application layer attacks using other techniques listed below.
Source or location blocking
This approach adds the attack source such as an IP address, CIDR range, or geographic location, to a deny list in your network device or content distribution network (CDN).
Attackers may switch IP ranges or locations to avoid blocks, so this method should always be combined with other mitigations.
Pattern and behaviour blocking
Your network device or CDN may be able to learn what normal traffic looks like and automatically block traffic that behaves abnormally. This might include malformed packets or repeated, oversized requests.
These tools can also identify and stop known patterns based on past incidents.
Disabling dynamic content
Dynamic content can put extra load on your servers. If your website uses features that generate a lot of requests like graphs or live data, consider disabling them during an attack.
Turning off non-essential features reduces backend calls and helps your system stay online under pressure.
Using CAPTCHA
For application layer attacks, you can add CAPTCHA challenges to slow down or block bot traffic. This forces bots to complete a test before sending a request to your servers.
However, CAPTCHA can also affect legitimate users — especially those using accessibility tools — so weigh this option with your technical and business teams before implementation.
You could serve CAPTCHA challenges to any requests that appear to be bot traffic. That way, each request would require a valid CAPTCHA response before reaching your servers.
Tuning and readiness
Make sure your mitigation tools are tuned to your environment. They must activate at the right time to be effective. If thresholds are set too high, they may trigger too late, or not at all.
Being prepared and understanding the capacity of each layer in your system is essential. When an attack hits, you won’t have time to fine tune your defences.
Additional incident response steps
Alongside your technical mitigations, your incident response plan should include several key actions to help you manage a DoS attack effectively.
Check for other events
DoS attacks are relatively simple to launch but they can create a lot of noise in your logs and dashboards. In some cases, attackers use them as a smokescreen to distract from other activity.
Make sure your playbook includes steps for carefully monitoring network and application logs. Your team should watch for unusual patterns or events that might otherwise be missed during a response.
Have off-network communications ready
A DoS attack may also affect your ability to communicate especially if your phones or email rely on the affected network.
Prepare a backup method for your incident response team to stay in touch. This could include a cloud-based chat platform or secure messaging app, like Signal. Make sure everyone knows how and when to switch to the backup system if required.
Key takeaways
- Know where you’re exposed. The first step is to get a clear view of what parts of your organisation are accessible from the internet, including websites, remote access tools, and third-party platforms. These are the areas most likely to be targeted in a disruption attempt.
- Protect what matters most. Not every service is equally critical. Focus on the systems that your staff and customers rely on every day. Consider the flow-on effects if one service goes offline, and how long you could operate without it.
- Coordinate with your provider. Your internet or network provider is often your first line of defence in a large-scale surge. Talk to them early about what protection options they offer, what capacity they can handle, and what services might cost extra to activate.
- Choose smart defences. There are a range of tools that can help, from blocking suspicious patterns to filtering traffic through a third party. Each has its strengths and trade-offs. What matters most is that your tools are tuned to act fast and trigger before real harm is done.
- Plan beyond the tech. A response plan isn’t just about IT systems — it’s about people, decisions, and communication. Make sure your team has a reliable way to communicate if your usual tools are affected, and stay alert to other threats that could hide in the noise of an attack.