DoS attack in AP Cybersecurity

A denial of service (DoS) attack is when an adversary sends malicious traffic to flood a network or device, overwhelming it so legitimate users can't access it. It targets the availability leg of the CIA triad.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is DoS attack?

A denial of service (DoS) attack is exactly what the name says: the adversary denies you access to a service. They do it by flooding a network or device with so much traffic that it can't keep up, and legitimate requests get drowned out. Think of one ticket window with a thousand fake customers crammed in front of it. The real customers can't reach the counter.

In the AP CED, a DoS attack is one of the things an adversary can do with malicious traffic sent into a network (EK 3.1.B.1). The same flood of traffic can also be used to map a network's internal structure or spoof a device, but a DoS specifically aims to disrupt. A classic example is sending thousands of ICMP requests to a network's broadcast address so every connected device responds at once toward a victim, burying it in replies. Networks without firewalls, or with badly configured firewalls, are wide open to this.

Why DoS attack matters in AP Cybersecurity

DoS attacks live in Unit 3: Securing Networks, under topic 3.1 Network Vulnerabilities and Attacks. They support AP Cybersecurity 3.1.B (explaining how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication) and AP Cybersecurity 3.1.C (assessing the risk those vulnerabilities create). The big theme here is the CIA triad. Most attacks you study threaten confidentiality or integrity, but a DoS is the textbook attack on availability (EK 3.1.C.1). If you can name which leg of the triad an attack hits, a DoS is your go-to example for availability.

Keep studying AP Cybersecurity Unit 3

How DoS attack connects across the course

ICMP Traffic (Unit 3)

ICMP is the protocol behind ping, and it's a common DoS delivery method. Flooding a broadcast address with ICMP requests makes every device reply at once toward one victim, turning normal network chatter into a weapon.

Firewalls and Network Configuration (Unit 3)

EK 3.1.B.1 says networks without firewalls, or with poorly configured ones, are vulnerable to flooding. The defense against a DoS is the same control that filters other malicious traffic, so a misconfigured firewall puts availability at risk.

MAC Flooding (Unit 3)

MAC flooding overwhelms a switch's address table instead of a whole network, but the logic is identical: bury a target in more than it can handle until it stops working normally. Both are flood-style disruption attacks.

Is DoS attack on the AP Cybersecurity exam?

Expect DoS attacks in multiple-choice questions about network attacks and malicious traffic. A common stem describes the symptom (an adversary floods a network so legitimate users can't get access) and asks you to name the attack, or describes a flood of ICMP requests to a broadcast address and asks what it accomplishes. You should be able to identify a DoS as an attack on availability and contrast it with a distributed denial of service (DDoS). No released FRQ has used this term verbatim, but the CED connects it directly to risk assessment under 3.1.C, so be ready to explain how a network vulnerability could let an adversary launch one.

DoS attack vs DDoS attack

A DoS attack comes from a single source, one machine flooding the target. A distributed denial of service (DDoS) comes from many machines at once, usually a botnet of compromised devices. DDoS is harder to block because you can't just cut off one IP address. Same goal (deny availability), different scale and number of attackers.

Key things to remember about DoS attack

  • A DoS attack floods a network or device with traffic so legitimate users can't access it, attacking the availability leg of the CIA triad.

  • It's one use of malicious traffic an adversary can send into a network, alongside mapping the network or spoofing a device (EK 3.1.B.1).

  • Networks without firewalls, or with misconfigured firewalls, are especially vulnerable to flooding attacks.

  • A DoS comes from one source, while a DDoS uses many compromised machines at once, making it harder to stop.

  • Flooding a broadcast address with ICMP requests is a classic DoS technique because every device responds toward the victim.

Frequently asked questions about DoS attack

What is a DoS attack in AP Cybersecurity?

It's a denial of service attack, where an adversary floods a network or device with malicious traffic so legitimate users can't access it. In the CED it falls under topic 3.1 and is the main example of an attack on availability.

What's the difference between a DoS and a DDoS attack?

A DoS attack floods the target from a single source, while a DDoS (distributed denial of service) attack floods it from many sources at once, usually a network of compromised devices. The DDoS is harder to defend against because you can't just block one IP address.

Does a DoS attack steal data?

No. A DoS attack disrupts access, it doesn't steal or read data. That's the key distinction: it targets availability, not confidentiality, so the goal is to take a service down rather than spy on it.

How does a DoS attack use ICMP?

ICMP is the ping protocol, and an adversary can abuse it by sending thousands of ICMP requests to a network's broadcast address. Every connected device responds at once toward the victim, and that flood of replies overwhelms the target.

How do you defend against a DoS attack?

A properly configured firewall is the core defense, since EK 3.1.B.1 notes that networks without firewalls or with badly set up ones are the ones most vulnerable to flooding traffic.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.