Let’s phrase this like a supermarket. I’m building a new one and expect 20 people a minute to want to check out so I build 10 registers. This works great and over time the store grows and has 15 registers.

Now someone wants to deny me from providing service to my actual customers. So they hire a thousand people and ask them all to take as long as possible in the checkout lines. With 15 registers I can’t handle this. Now my actual customers show up but I have a staff member outside telling them to just leave because there’s too many people inside.

DDoS attacks are like this but for computers. A website can handle X amount of traffic at a time. They can have contingencies for handling extra traffic but at some point the amount of traffic will overload them. Someone uses a bunch of computers to send requests to the specific website and bog it down.