Skip to content

T1498 Network Denial of Service

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes1 and to support other malicious activities, including distraction2, hacktivism, and extortion.3

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.

Item Value
ID T1498
Sub-techniques T1498.001, T1498.002
Tactics TA0040
Platforms Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Version 1.1
Created 17 April 2019
Last Modified 25 March 2022

Procedure Examples

ID Name Description
G0007 APT28 In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.7
S0532 Lucifer Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.6


ID Mitigation Description
M1037 Filter Network Traffic When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.5


ID Data Source Data Component
DS0029 Network Traffic Network Traffic Flow
DS0013 Sensor Health Host Status