ATTACK-T1499.002Active

Service Exhaustion Flood

Statement

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)

Location

Tactic: Impact

Technique Details

Identifier: ATTACK-T1499.002
Parent Technique: ATTACK-T1499
ATT&CK Page: View on MITRE

Tactics

Impact

Platforms

WindowsIaaSLinuxmacOS

Detection

Detection Strategy for Endpoint DoS via Service Exhaustion Flood

Mitigations

Filter Network Traffic: Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

EquivalentPartialRelated

SP 800-53

SP800-53-AC-3relatedvia ctid-attack-to-sp800-53

SP800-53-AC-4relatedvia ctid-attack-to-sp800-53

SP800-53-CA-7relatedvia ctid-attack-to-sp800-53

SP800-53-CM-6relatedvia ctid-attack-to-sp800-53

SP800-53-CM-7relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Impact

Ingress Traffic Filtering:

Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Service Exhaustion Flood

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings9

Service Exhaustion Flood

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings9