An author built a home‑lab with Oracle VirtualBox, running Kali Linux as the attacker and Ubuntu Linux as the target. The goal was to demonstrate that a Denial‑of‑Service attack can arise from poor application design, not from massive botnets or exotic malware. The experiment stayed strictly local and legal today.

The target ran a tiny Python HTTP server that sleeps three seconds per request. Because it is single‑threaded, each incoming GET blocks the entire process, and no rate limiting or concurrency handling exists. That single `time.sleep(3)` line turns the server into a textbook application‑layer DoS target for developers to learn.

Using ApacheBench, the author sent fifty requests with ten concurrent connections to the server. The single‑threaded design caused nine requests to queue, slowing responses and triggering TCP retransmissions. Wireshark captured repeated GETs, delayed replies, and congestion, illustrating how a modest load can cripple a poorly designed service for security research.

The exercise shows that even a simple sleep call can expose a server to denial of service. Mitigations include asynchronous or multi‑threaded frameworks, rate limiting, and reverse proxies like Nginx. For anyone learning cybersecurity, building such labs offers a safe, hands‑on lesson in defensive design for future professionals to apply.