You attack the networking stacks for it, those are still actively developed (mTCP was last updated Jan 2025) as businesses use networked DOS for quite a few things. A DOS networking stack consists of a packet driver, a NIC driver, and a protocol library. All of those have attack surface. NIC drivers in particular often haven't really had updates since they were first released. Because for hardware manufacturers of the time the goal was on getting people to use the hardware, not on supporting them. There are newer DOS NIC drivers than you'd think too. Realtek last I checked still makes and supports an ISA NIC.
So you are not talking about attacking old code at all, but networking stacks that are indeed actively developed? That feels like a very different ball game from attacking Win98, even if the platform they are running on top of is old.
It's a complicated space. There are attacks on both maintained and unmaintained stacks. There are definitely attacks against windows 95/98 too because people have things like mills or other industrial automation that are powered by those OSes still connected to the internet. There is a lot of SCADA[1] too that fits that bill. It's easy to think "but why wasn't this replaced!" and the answer is almost always "cost or process certification". If the operator is lucky and has good networking folks all of this is in a very very well firewalled VLAN. But, never underestimate the amount of people that are not that savvy and just have it plugged into the internet.
For anyone saying these aren't targets, no they are probably already hacked. These are the things that keep the national security folks up at night knowing an adversary has them already backdoored and set up for take down. Moreover if they execute on that they would go for maximum damage first to either create chaos, or prevent the system from being repaired easily.
