DOS attacks are usually based on the principle of sending a tiny, broken package. The server responds with a "Hey, that was broken, resend!" package, which requires much more work and bandwidth for the server. Usually, the sender adress is spoofed, so the response don't even go back to the attacker. That way, an attacker with a fairly weak connection can still cause disproportionally large damage to a much stronger target.
On top of that, we have the DDOS attacks, which is the same, just that many people do it at once, increasing the effectivity.
One way to defend against that is to recognize that you are being swamped by bad packages and stop responding.
That said, much simpler "attacks" has been quite successful. When the Swedish search engine The Pirate Bay was attacked by 50 armed policemen, someone (not me, I promise) took down the police web site simply by finding a bunch of large images on it, creating an auto-updating html page with those images and spreading that page to many people. I wouldn't even call that an attack, as they were basically using the web site services as they were intended to be used. I find that more akin to, say, protesting against a shop by getting lots of people who don't intend to buy something to enter the shop and just wander around, taking up space that intended customers would otherwise use.