Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement may block Network Denial of Service (DoS) attacks from occurring by adversaries that target resources to users via websites, email services, DNS, and web-based applications. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
References
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting websites, email services, and web-based applications. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement protects against Network Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement protects against Network Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1498 | Network Denial of Service | |
| CM-06 | Configuration Settings | mitigates | T1498 | Network Denial of Service | |
| SI-10 | Information Input Validation | mitigates | T1498 | Network Denial of Service | |
| SI-15 | Information Output Filtering | mitigates | T1498 | Network Denial of Service | |
| CM-07 | Least Functionality | mitigates | T1498 | Network Denial of Service | |
| AC-03 | Access Enforcement | mitigates | T1498 | Network Denial of Service | |
| AC-04 | Information Flow Enforcement | mitigates | T1498 | Network Denial of Service | |
| SC-07 | Boundary Protection | mitigates | T1498 | Network Denial of Service |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.DoS | Denial of service | related-to | T1498 | Network Denial of Service | |
| action.malware.variety.DoS | DoS attack | related-to | T1498 | Network Denial of Service | |
| attribute.availability.variety.Degradation | Performance degradation | related-to | T1498 | Network Denial of Service | |
| attribute.availability.variety.Loss | Loss | related-to | T1498 | Network Denial of Service |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_ddos_protection | Azure DDoS Protection | technique_scores | T1498 | Network Denial of Service |
Comments
Designed to address multiple DDOS techniques including volumetric attacks.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1498 | Network Denial of Service |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end network DOS attacks.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1498 | Network Denial of Service |
Comments
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_armor | Cloud Armor | technique_scores | T1498 | Network Denial of Service |
Comments
Google Cloud Armor provides always-on DDoS protection against network or protocol-based volumetric DDoS attacks. It allows users to allow/deny traffic at the Google Cloud edge, closest to the source of traffic. This prevents unwelcome traffic from consuming resources.
References
|
| cloud_cdn | Cloud CDN | technique_scores | T1498 | Network Denial of Service |
Comments
Cloud CDN acts as a proxy between clients and origin servers. Cloud CDN can distribute requests for cacheable content across multiple points-of-presence (POPs), thereby providing a larger set of locations to absorb a DOS attack.
However, Cloud CDN doesn't provide protection against DOS attacks for uncached content.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1498 | Network Denial of Service |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While Cloud NGFW support both sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1498 | Network Denial of Service |
Comments
The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1498 | Network Denial of Service |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
References
|
| aws_config | AWS Config | technique_scores | T1498 | Network Denial of Service |
Comments
This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1498 | Network Denial of Service |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports all sub-techniques (2 of 2 at the time of this mapping), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
References
|
| aws_shield | AWS Shield | technique_scores | T1498 | Network Denial of Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1498.001 | Direct Network Flood | 23 |
| T1498.002 | Reflection Amplification | 24 |