DOS is not just bandwidth, it's anything that overloads the servers to make them non-responsive.
There are three primary points to attack: bandwidth, network, or CPU.
Bandwidth is easy, you just send lots of data, it doesn't even need to have a connection established.
A "network" attack could be overloading the router to overloading the network stacks of the servers. One way to overload a server is to start a connection, but not finish it. The server, by default, waits ~60 seconds to timeout the connection. Well, if you start sending thousands of requests per second to start connections, but don't follow through, the network state tables grows really big really fast.
The CPU way is find something with the server that takes it a while to process. Lets say you have a "feature" in the web server to resize images for thumbnails and that takes a lot of relative CPU, but your web site was designed assuming that it wouldn't happen often. Well, someone figures out that requesting an image eats up lots of CPU, and they can just make a crap ton of requests and hose your server's CPUs.
Even more important that worrying about DOS attacks is SQL injection and/or cross-site execution.