T1498 Network Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes1 and to support other malicious activities, including distraction2, hacktivism, and extortion.3
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
| Item | Value |
|---|---|
| ID | T1498 |
| Sub-techniques | T1498.001, T1498.002 |
| Tactics | TA0040 |
| Platforms | Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Version | 1.1 |
| Created | 17 April 2019 |
| Last Modified | 25 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.7 |
| S0532 | Lucifer | Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic | When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.5 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Flow |
| DS0013 | Sensor Health | Host Status |
References
-
Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019. ↩
-
FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019. ↩
-
Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019. ↩
-
Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. ↩
-
Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019. ↩
-
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. ↩
-
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. ↩