Skip to content

DET0173 Detection Strategy for Endpoint DoS via Service Exhaustion Flood

Item Value
ID DET0173
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1499.002 (Service Exhaustion Flood)

Analytics

Windows

AN0489

High-frequency, repetitive service requests (e.g., HTTP, TLS renegotiation) originating from a single or small set of source IPs targeting endpoint web services or application ports, leading to exhaustion of CPU or memory on targeted Windows services.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Application Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Host Status (DC0018) Windows:perfmon Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)
Mutable Elements
Field Description
TimeWindow Defines burst threshold (e.g., 1 min, 5 min) for connection spikes
TargetServicePort Specific ports/services likely to be abused (e.g., 80, 443, 8080)
CPUThreshold Level of sustained CPU usage considered anomalous for a given service

Linux

AN0490

Excessive inbound HTTP or TLS connections to services such as Apache or Nginx, causing worker thread exhaustion or segmentation faults.

Log Sources
Data Component Name Channel
Process Access (DC0035) auditd:SYSCALL High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes
Network Traffic Flow (DC0078) NSM:Flow Sudden spike in incoming flows to web service ports from single/multiple IPs
Application Log Content (DC0038) linux:syslog Repetitive HTTP 408, 500, or 503 errors logged within short timeframe
Mutable Elements
Field Description
ErrorCodeWindow Tunable count of specific HTTP error codes in timeframe
ConnectionRateThreshold Defines number of connections per second considered anomalous

macOS

AN0491

Flood of incoming TLS or HTTP(S) connections to macOS-hosted services (e.g., MAMP, Apache), causing high CPU usage and system unresponsiveness.

Log Sources
Data Component Name Channel
Host Status (DC0018) macos:unifiedlog Web service process (e.g., httpd) entering crash loop or consuming excessive CPU
Network Traffic Content (DC0085) macos:unifiedlog Rapid incoming TLS handshakes or HTTP requests in quick succession
Mutable Elements
Field Description
TLSHandshakeRate Number of renegotiations per minute considered suspicious
ServiceCrashFrequency Threshold of crashes before alerting on instability

IaaS

AN0492

Automated or scripted HTTP/TLS flooding from one VM or cloud instance against another service, exploiting compute-based billing or exhaustion of service infrastructure.

Log Sources
Data Component Name Channel
Firewall Rule Modification (DC0051) AWS:CloudTrail AuthorizeSecurityGroupIngress
Network Traffic Flow (DC0078) AWS:VPCFlowLogs Unusual volume of inbound packets from single source across short time interval
Host Status (DC0018) AWS:CloudWatch Sustained spike in CPU usage on EC2 instance with web service role
Mutable Elements
Field Description
VPCFlowBurstRate Threshold for traffic burst on target service port
EC2CPUThreshold Compute saturation level for alerting (e.g., >90% for 3 minutes)