The latest example is this story by Glenn Greenwald and NBC News claiming British intelligence performed a "DDoS" on Anonymous. To quote the article
"According to the documents, a division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack." -- NBC News and Glenn Greenwald
This is wrong. The acronym "DDoS" doesn't stand for "denial of service" but "distributed denial of service". The extra 'D' in added to DoS is not an insignificant detail that can be glossed over in the article, escape a fact checker, or be reported without confirmation. DDoS would result in enormous collateral damage, but a mere DoS might not.
DoS, minus the extra D, means disabling the victim's computer. An example DoS is a "syn-flood", which is apparently the attack used in this story. A syn-flood can surgically disable just a single computer without affecting nearby computes.
DDoS, with the extra D, means using a network of many attacking machines, often in the thousands, to flood a victim. It's orders of magnitude worse, with two significant problems.
The first is that the attack computers are not owned by the attacker, but are instead computers spread throughout the Internet that the attacker has infected with a virus. When nation states to use this technique, it would mean that they would not only be hacking the "legitimate" target of the DDoS, but also thousands of innocents. It's possible for a nation state to invest a lot of money and rent thousands of instances throughout the Internet, and avoid infecting innocents with viruses, but the accusation of "DDoS" implies infecting the innocent -- it's not a detail the article could have glossed over.
The second problem is that the flood of traffic is so large hat it impacts intervening networks. If I compromise computers in Tajikistan (or simply rent instances in their data centers) to use as part of my DDoS against Anonymous, I'm going to slow down that entire country's Internet connection. If I'm targeting a member of Anonymous who is using a Comcast connection, I'm going to disable the Internet for everyone in that neighborhood. It's not the computers that are damaged by the DDoS, but all the intervening links. Everyone sharing those links will be effected.
The reason the word "DDoS" appeared in the NSA document is not because it was in fact a DDoS, but because the hacktivists described it as such. That's because hacktivists are largely unskilled teenagers with a very narrow range of expression. These kids do not know how to perform surgical DoS attacks themselves, but only know large-scale DDoS.
Assuming the target was an IRC server in a colo, then it's trivially easy to DoS with a syn-flood without effecting nearby machines. I can do it form my home network on Comcast that has 10-mbps upstream. The DoS would take down IRC but with zero collateral damage.
These PowerPoints that Snowden has been leaking were themselves written by non-technical people exaggerating the actions. With so many layers of non-technical people involved (the authors and the press) it's hard to say exactly what happened. It does appear that the GCHQ takes credit for syn-flooding irc.anonops.li, but everything else is speculation. The remainder of the Greenwald/NBC article is bunk.
As a technical expert, I question every Greenwald article I've read. He seizes every opportunity to exaggerate the vague breadcrumb's found in these leaked NSA powerpoints.
Disclaimer: I think I've created the world's fastest syn-flood tool. Here's how you'd run my port-scanner masscan to do a syn-flood at 15-million packets/second. You'd need to run it from an ISP that has a 10-gbps link but no egress filtering.
# masscan 192.0.2.65 -p6667 --spoof-ip 18.104.22.168/4 --source-port 0-65535 --rate 15000000
This would cause a lot of collateral damage, since you'd be running it from a 10-gbps link targeting networks with much slower links. You can run it slower in a method like the following:
# masscan 192.0.2.65 -p6667 --spoof-ip 172.28.209.0/24 --source-port 0-65535 --rate 10000 --banners
I point out these features of my tool to point out the vast difference between the 'experts' Greenwald could consult (hackers), and the type of 'experts' he actually consults (anthropology professors).