{
    "slug": "dos_attack",
    "term": "Denial of Service (DoS)",
    "category": "security",
    "difficulty": "beginner",
    "short": "An attacker overwhelms a system with requests or exploits resource-exhaustion bugs to make it unavailable to legitimate users.",
    "long": "Denial of service attacks range from volumetric floods (UDP amplification, HTTP floods) to application-layer attacks that exploit expensive operations — complex regex matching, deeply nested JSON parsing, or cryptographic operations. PHP applications are vulnerable to application-layer DoS through unbounded file uploads, regex with catastrophic backtracking, or expensive database queries triggered without rate limits. Mitigations include rate limiting, input size restrictions, request timeouts, and caching computed results.",
    "aliases": [
        "Denial of Service",
        "DoS",
        "DDoS",
        "service disruption"
    ],
    "tags": [
        "availability",
        "rate-limiting",
        "infrastructure"
    ],
    "misconception": "Only large volumetric attacks cause denial of service. A single attacker sending requests that trigger expensive regex (ReDoS) or deeply nested JSON parsing can exhaust server memory just as effectively.",
    "why_it_matters": "A successful DoS renders a service unavailable to legitimate users — application-layer DoS can achieve this with far fewer requests than a network flood by exploiting expensive operations.",
    "common_mistakes": [
        "No rate limiting on computationally expensive endpoints (PDF generation, image resizing, complex reports).",
        "Unbounded input sizes — parsing a 1GB JSON body exhausts memory on a single request.",
        "No timeout on external HTTP calls or database queries — a slow downstream service blocks all threads.",
        "Missing set_time_limit() and memory limits on user-triggered batch operations."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "redos",
        "brute_force"
    ],
    "prerequisites": [
        "rate_limiting",
        "load_testing",
        "circuit_breaker"
    ],
    "refs": [
        "https://owasp.org/www-community/attacks/Denial_of_Service",
        "https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html"
    ],
    "bad_code": "// Unbounded XML parsing — billion laughs / memory exhaustion:\n$xml = file_get_contents('php://input'); // No size limit\n$doc = new DOMDocument();\n$doc->loadXML($xml); // No entity protection or memory limit",
    "good_code": "// Rate limiting per IP — Redis token bucket\npublic function handle(Request \\$req): Response {\n    \\$key   = 'rate:' . \\$req->ip();\n    \\$limit = 100; // per minute\n    \\$count = \\$redis->incr(\\$key);\n    if (\\$count === 1) \\$redis->expire(\\$key, 60);\n\n    if (\\$count > \\$limit) {\n        return response('Too Many Requests', 429)\n            ->header('Retry-After', \\$redis->ttl(\\$key));\n    }\n\n    // Resource limits per request\n    set_time_limit(30);\n    ini_set('memory_limit', '128M');\n\n    return \\$next(\\$req);\n}\n\n// ReDoS — avoid catastrophic backtracking:\n// Bad:  /^(a+)+\\$/ — exponential on 'aaaaaab'\n// Good: /^a+\\$/    — linear",
    "quick_fix": "Layer defences: Cloudflare/WAF at the edge, Nginx rate limiting, PHP-FPM queue limits, and circuit breakers — no single layer stops all DoS; depth of defence matters",
    "severity": "high",
    "effort": "high",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/dos_attack",
        "html_url": "https://codeclaritylab.com/glossary/dos_attack",
        "json_url": "https://codeclaritylab.com/glossary/dos_attack.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Denial of Service (DoS)](https://codeclaritylab.com/glossary/dos_attack) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dos_attack"
            }
        }
    }
}