T1498 Network Denial of Service

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-01.02 Network traffic volume monitoring Mitigates T1498 Network Denial of Service
Comments
This diagnostic statement may block Network Denial of Service (DoS) attacks from occurring by adversaries that target resources to users via websites, email services, DNS, and web-based applications. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
References
    ID.IM-02.06 Accurate data recovery Mitigates T1498 Network Denial of Service
    Comments
    This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting websites, email services, and web-based applications. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
    References
      PR.IR-04.01 Utilization monitoring Mitigates T1498 Network Denial of Service
      Comments
      This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
      References
        PR.IR-04.02 Availability and capacity management Mitigates T1498 Network Denial of Service
        Comments
        This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
        References
          PR.IR-01.03 Network communications integrity and availability Mitigates T1498 Network Denial of Service
          Comments
          This diagnostic statement protects against Network Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
          References
            PR.PS-01.08 End-user device protection Mitigates T1498 Network Denial of Service
            Comments
            This diagnostic statement protects against Network Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CA-07 Continuous Monitoring mitigates T1498 Network Denial of Service
              CM-06 Configuration Settings mitigates T1498 Network Denial of Service
              SI-10 Information Input Validation mitigates T1498 Network Denial of Service
              SI-15 Information Output Filtering mitigates T1498 Network Denial of Service
              CM-07 Least Functionality mitigates T1498 Network Denial of Service
              AC-03 Access Enforcement mitigates T1498 Network Denial of Service
              AC-04 Information Flow Enforcement mitigates T1498 Network Denial of Service
              SC-07 Boundary Protection mitigates T1498 Network Denial of Service

              Known Exploited Vulnerabilities Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability secondary_impact T1498 Network Denial of Service
              Comments
              CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
              References
              CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability secondary_impact T1498 Network Denial of Service
              Comments
              CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
              References
              CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability secondary_impact T1498 Network Denial of Service
              Comments
              CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
              References
              CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability primary_impact T1498 Network Denial of Service
              Comments
              Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system. This leads to denial of service.
              References
              CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability primary_impact T1498 Network Denial of Service
              Comments
              An unprivileged attacker can leverage this buffer overflow vulnerability, leading to a denial of service attack, and potentially remote code execution. No public exploits of this vulnerability exist, and information from Citrix is limited.
              References
              CVE-2021-22205 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability primary_impact T1498 Network Denial of Service
              Comments
              CVE-2021-22205 is a Remote Code Execution Vulnerability on GitLab Community and Enterprise Editions where threat actors have been reported to actively exploit the security flaw to co-opt unpatched GitLab servers into a botnet and launch distributed denial of service (DDoS) attacks
              References
              CVE-2021-22205 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability secondary_impact T1498 Network Denial of Service
              Comments
              CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
              References
              CVE-2019-0708 Microsoft Remote Desktop Services Remote Code Execution Vulnerability secondary_impact T1498 Network Denial of Service
              Comments
              CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
              References
              CVE-2022-0028 Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability primary_impact T1498 Network Denial of Service
              Comments
              CVE-2022-0028 is a reflected amplification Distributed-Denial-of-Service (DDoS) vulnerability with Palo Alto's PAN-OS firewall software. Public reports have announced the attempted exploit of this vulnerability to produce DDOS attack.
              References

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.DoS Denial of service related-to T1498 Network Denial of Service
              action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
              attribute.availability.variety.Degradation Performance degradation related-to T1498 Network Denial of Service
              attribute.availability.variety.Loss Loss related-to T1498 Network Denial of Service

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              azure_ddos_protection Azure DDoS Protection technique_scores T1498 Network Denial of Service
              Comments
              Designed to address multiple DDOS techniques including volumetric attacks.
              References
              azure_network_security_groups Azure Network Security Groups technique_scores T1498 Network Denial of Service
              azure_private_link Azure Private Link technique_scores T1498 Network Denial of Service
              Comments
              Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              cloud_armor Cloud Armor technique_scores T1498 Network Denial of Service
              Comments
              Google Cloud Armor provides always-on DDoS protection against network or protocol-based volumetric DDoS attacks. It allows users to allow/deny traffic at the Google Cloud edge, closest to the source of traffic. This prevents unwelcome traffic from consuming resources.
              References
              cloud_cdn Cloud CDN technique_scores T1498 Network Denial of Service
              Comments
              Cloud CDN acts as a proxy between clients and origin servers. Cloud CDN can distribute requests for cacheable content across multiple points-of-presence (POPs), thereby providing a larger set of locations to absorb a DOS attack. However, Cloud CDN doesn't provide protection against DOS attacks for uncached content.
              References
              cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ technique_scores T1498 Network Denial of Service
              Comments
              Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While Cloud NGFW support both sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_guardduty Amazon GuardDuty technique_scores T1498 Network Denial of Service
              Comments
              The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns
              References
              amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1498 Network Denial of Service
              Comments
              VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
              References
              aws_config AWS Config technique_scores T1498 Network Denial of Service
              Comments
              This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.
              References
              aws_network_firewall AWS Network Firewall technique_scores T1498 Network Denial of Service
              Comments
              AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports all sub-techniques (2 of 2 at the time of this mapping), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
              References
              aws_shield AWS Shield technique_scores T1498 Network Denial of Service

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1498.001 Direct Network Flood 24
              T1498.002 Reflection Amplification 24