Billy Hoffman, a lead researcher in SPI Labs and an Ajax expert, is the perfect person to answer this question. So his answer is below:
I would argue the way Ajax applications can make you more open to a DoS is from all the open Web services and Ajax endpoints. Because you can directly call parts of the control logic of the program, you can do more damage then just blindly requesting files. A flood of traffic to an Ajax endpoint is probably worse than a traffic flood against a random page because each time you contact that Web service the server has some computation to do. Furthermore, responses from Ajax endpoints are not typically cached by Squid or any other 'Web site accelerator.'
A traffic flooding DoS is like throwing millions of small punches hoping you take an opponent down. A control logic DoS is like cutting open an opponent's head and punching them a few times in the brain."And here's my answer:
I also tend to see sloppy implementation of Ajax inadvertently causing DoS attacks. For example, I know of a company that decided to implement some Ajax intelligence technology into their search bar on their Web site. What they did not think about was that doing this multiplied their traffic by eight times. For every one search query going to their application it now was broken down to each letter being a single hit. So it ended up crashing their bandwidth.More information:
Billy Hoffman is a lead researcher in the SPI Labs Research and Development group. He is an oft quoted expert on AJAX security and is a frequent speaker at conferences on the topic. Hoffman is currently co-authoring a book on Ajax security for Addison-Wesley.
This was first published in December 2006