You think that correctly formed TCP streams can not be used to exhaust bandwidth??? Well, that is completely wrong. Someone with a botnet doesn't need to do a bandwidth amplification attack to DDoS a target, they have a massive botnet with lots of bandwidth. Just having thousands of zombie clients refreshing a website constantly, many simultaneous times, is enough to DDoS it, and that is how many DDoS attacks are carried out. Also there are all kinds of other ways that DoS attacks can be performed. Hidden services are inherently weak to their introduction points being DoSed with CPU exhaustion attacks. They can be traced to their entry guards and the entry guards DDoSed, which will make it impossible to access the hidden service if it has strict entry guards set. The actual web server software can have flaws in it that make it weak to resource exhaustion attacks, a lot of the time DoS is of CPU or RAM and not of bandwidth at all. It is completely and entirely incorrect to say that DDoS or DoS are impossible to do against hidden services.