Unless you can get the application to crash easily, denial of service bugs can be one of the hardest types to discover. Often, there is a fine line between what is considered a performance issue and what is considered a DoS attack. It really depends on what is considered acceptable for the application. As a tester, you might have to push to get certain DoS bugs fixed. Sometimes developers consider a bug acceptable, but it isnt what the customer would want. For example, client applications that can be crashed by an attacker and cause victims to lose data should be fixed. The effect of a DoS on server applications can be huge, so it is important that they are tested thoroughly and that resources consumed by a single server request are limited.