DDoS attacks are designed to carry out a large amount of activity so that the server under attack is unable to provide the service that it is in place to provide. While this is partly done by the quantity of traffic, it is also done by formatting the network requests in such a manner as to exploit weaknesses in the network protocols that make a failure more likely.
Application DDoS takes a similar approach but at an application level. Rather than exploiting weaknesses in the network protocol, it looks for areas of application functionality that will struggle when the application is under load. These could be areas that involve high processor usage, integration with third-party systems, or complex database activity.
Often these will be areas such as search, log in, availability checks, or real-time booking requests but will vary with each website. The bot traffic will then just automate repeated requests to these areas of the website until the site reaches a limit and falls over or is unable to transact normally with legitimate customers.