CS11 — Tracking Cookies and DOS Attacks
- I can describe what tracking cookies are and how they are used to follow browsing behaviour across websites
- I can explain the privacy concerns associated with tracking cookies
- I can describe what a denial of service (DOS) attack is and explain how it works
- I can describe the symptoms, effects, costs, type of fault, and reasons associated with a DOS attack
- I can explain the difference between a DOS and a Distributed DOS (DDOS) attack
- I can explain how a third-party tracking cookie follows a user across different websites and builds an advertising profile
- I can state at least two privacy concerns associated with tracking cookies
- I can describe the sequence of events in a DOS attack, from the attacker's action to the effect on users
- I can name and describe the three named types of DOS fault: bandwidth consumption, resource starvation, and Domain Name Service (DNS)
- I can distinguish between the symptoms, effects and costs of a DOS attack, and give an example of each
- I can state a financial, political, and personal reason an attacker might launch a DOS attack
- I can explain why a DDOS attack uses a botnet and why this makes it harder to defend against
Key vocabulary
Part 1 — Tracking cookies
What is a cookie?
When you visit a website, it can store a small text file called a cookie in your browser. Cookies are used for many legitimate purposes: keeping you logged in, remembering items in a shopping basket, or saving your language preferences. These are called first-party cookies because they are set by the website you are actually visiting.
A third-party cookie is different — it is set not by the site you are on, but by another organisation whose code appears on that page. Advertising networks and analytics companies embed code on thousands of websites, which allows them to set cookies in your browser whenever you visit any of those sites.
How tracking cookies follow you across websites
When an advertising company's code runs on a page, it checks whether you already have one of its cookies. If you do not, it creates one with a unique identifier — a random ID code that identifies your browser. If you already have the cookie, it reads the ID and records which website you just visited, linking that visit to your ID.
Because the same advertising company's code appears on thousands of websites, it can build up a detailed picture of where you browse. This is a tracking cookie — a cookie whose purpose is not to make the current website work, but to track your behaviour across many different sites.
What happens to the data?
Over time, a tracking profile associated with your unique ID might include: which news topics you read, which products you browsed, which travel destinations you searched for, and which health conditions you looked up. This profile is used to serve you targeted advertisements — adverts that match your apparent interests. The profile may also be sold to other companies.
Privacy implications
Tracking cookies raise significant privacy concerns. Users are often unaware their browsing behaviour is being monitored. The data collected can reveal sensitive information — health concerns, financial difficulties, political views — without users ever consenting to share it. Under the UK GDPR, websites must ask for consent before storing non-essential cookies, which is why cookie banners appear on most websites. However, many users click "Accept All" without reading the options, giving broad consent without intending to.
Most modern browsers allow users to block third-party cookies. Browsing in private or incognito mode prevents cookies from persisting after the session ends, limiting tracking — though it does not make you invisible to the websites you visit.
Part 2 — Denial of Service attacks
What is a DOS attack?
Every web server has a limit on how many requests it can handle at once. It has a finite amount of processing power, memory, and network bandwidth. A Denial of Service (DOS) attack deliberately exploits this limit by flooding the server with far more requests than it can process.
When the server is overwhelmed, it cannot respond to legitimate users. The service becomes unavailable — the website goes down, error messages appear, or connections time out. The attacker has not broken into the system or stolen data; they have simply rendered it inaccessible.
How a DOS attack works
In a simple DOS attack, a single computer belonging to the attacker sends an extremely high volume of requests — potentially thousands per second — to the target server. The server must attempt to process each one. As its resources are exhausted, it slows down and eventually stops responding to legitimate requests entirely.
Symptoms of a DOS attack
From a user's point of view, a DOS attack shows up as two main symptoms: slow performance (pages take far longer than normal to load, or load only partially) and inability to access the service at all (the connection times out, or an error page is shown). Neither symptom on its own proves an attack is happening — ordinary high demand can look similar — but a sudden, sustained combination of both is a strong indicator.
Distributed DOS (DDOS) attacks
A single attacker's computer has limited bandwidth, so a server with sufficient capacity can potentially handle a simple DOS attack by filtering or rate-limiting that source. A Distributed DOS (DDOS) attack overcomes this limitation by using a botnet — a network of thousands of infected computers, each sending requests simultaneously.
Each computer in the botnet (called a zombie) sends requests that individually look no different from normal traffic. But thousands of zombies together generate a combined volume of traffic that overwhelms even large, well-resourced servers. Because the requests come from thousands of different IP addresses, simply blocking one address does nothing — there are thousands more.
The owners of zombie computers are typically unaware their machine is part of an attack. The malware that recruits them usually runs silently in the background.
Type of fault
Not every DOS attack overwhelms a server in the same way. The Higher course names three specific types of fault:
- Bandwidth consumption — the attacker simply sends more traffic than the target's network connection can carry, so the connection itself becomes the bottleneck. Even a server with spare processing power cannot respond if the traffic never gets through.
- Resource starvation — rather than saturating the network, the attacker sends requests specifically designed to consume the server's processing power, memory, or the limited number of connections it can track at once, exhausting those resources even though bandwidth is not the limiting factor.
- Domain Name Service (DNS) — instead of attacking the web server directly, the attacker floods the DNS servers responsible for translating the website's domain name into an IP address. If the DNS servers cannot respond, users' browsers cannot find the website's address at all, denying access even if the web server itself is still running normally. This is different from DNS spoofing, which redirects users to a fake site rather than denying service.
Effects of a DOS or DDOS attack
The effects of an attack are the disruption caused to users and the business itself:
- Service unavailability — the website or application cannot be reached by users
- Reputational damage — customers lose trust in a service that appears unreliable
- Staff disruption — if internal systems are targeted, employees cannot use them to work
Costs of a DOS or DDOS attack
Separate from the disruption itself, an attack has a financial cost to the organisation:
- Lost revenue — an e-commerce site that is down cannot process orders or payments
- Labour in rectifying the fault — technical staff time is needed to identify the attack, mitigate it, and restore the service
Reasons for DOS attacks
Attackers launch DOS attacks for different underlying reasons:
- Financial — an attacker may demand a ransom to stop the attack, or a competitor may attack a rival business to damage its trade during a busy period.
- Political — an attacker (sometimes called a "hacktivist") may target a government or organisation's website to protest a policy or draw attention to a cause.
- Personal — an attacker may hold a grudge against a specific person or organisation, or may attack simply to demonstrate their ability and gain notoriety among other attackers.
Worked examples
uid=A7F3B) and records: "A7F3B visited a travel site."The step-by-step tracking process can be shown as a pipeline:
uid=A7F3B on user's browser
Denial of Service
Limited bandwidth.
Can be blocked by filtering one IP address.
Massive combined traffic.
Cannot be blocked by IP — thousands of different addresses.
- Saying cookies are programs or viruses. A cookie is a simple text file — it cannot run code, install software, or harm your computer. Marks are lost when pupils describe cookies as "hacking" tools or viruses.
- Confusing DOS and DDOS. In a DOS attack, the requests come from one machine. In a DDOS, they come from many machines. The examiner specifically tests this distinction — always state the number of sources.
- Saying a DOS attack "hacks into" the server. A DOS attack does not involve gaining access to the system — there is no password stolen and no data accessed. The attack simply overwhelms the server with legitimate-looking requests.
- Forgetting to say the server is overwhelmed. Questions about DOS typically ask you to "describe how" it works. The word "overwhelmed" (or "overloaded") must appear in your answer alongside the idea of excessive requests.
- Stating only one effect of a DOS attack. Exam questions worth 2 marks expect two separate effects. State two distinct consequences — unavailability, revenue loss, reputational damage, recovery costs — not two ways of saying the same thing.
These two topics appear regularly in Higher Computing past papers, often as 2-mark "describe how" questions. The key words examiners look for:
- Tracking cookies: "third-party", "unique identifier", "across different websites", "profile of interests"
- DOS: "floods/overwhelms the server", "excessive requests", "legitimate users cannot access"
- DDOS: "botnet", "many different computers", "different IP addresses", "harder to block"
For a DDOS question, always contrast it with a simple DOS to show you understand the difference — this is what earns the second mark.
DOS questions are also asked using the SQA's five separate categories — symptoms, effects, costs, type of fault, and reasons. If a question asks you to "name the type of fault", the only three valid answers are bandwidth consumption, resource starvation, and Domain Name Service (DNS) — do not answer with a symptom or effect instead.
Task Set A
Task Set B
Higher Computing Science → Computer Systems → CS11
Timing (120 min double):
5 min — warm up independently (CS10 recap), circulate
5 min — key vocabulary as a class
15 min — tracking cookies: walk through Example 1 together, draw the flow on the board
10 min — DOS attacks: key concept introduction
10 min — DDOS: worked examples 2 and 3, use the clash-box visual to contrast DOS vs DDOS
5 min — "Now you try" (tracking cookie profile question) independently, then reveal
5 min — common mistakes — read through together
25 min — Task Set A (independent work)
10 min — cold call review of A5, A7, A10 (the written questions most likely to appear in the exam)
10 min — Task Set B for those who finish early
Watch for: pupils confusing DOS and DDOS (test this explicitly in cold call — "how many sources?"); pupils saying a DOS attack "hacks" the server; pupils giving only one effect in A6 when the question asks for two.
Tracking cookies discussion hook: Ask pupils: "Has anyone noticed adverts following them around the internet after they searched for something? How do you think that works?" Almost every pupil will have experienced this. Use their examples to introduce the mechanism before the worked example.
GDPR note: A9 (GDPR) is a known 1-mark question in past papers. Pupils must be able to name the regulation, not just describe it.