Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.DoS | Denial of service | related-to | T1498.001 | Network Denial of Service: Direct Network Flood | |
action.malware.variety.DoS | DoS attack | related-to | T1498.001 | Network Denial of Service: Direct Network Flood | |
attribute.availability.variety.Degradation | Performance degradation | related-to | T1498.001 | Network Denial of Service: Direct Network Flood | |
attribute.availability.variety.Loss | Loss | related-to | T1498.001 | Network Denial of Service: Direct Network Flood |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1498.001 | Direct Network Flood |
Comments
The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns
References
|
aws_config | AWS Config | technique_scores | T1498.001 | Direct Network Flood |
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability.
Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
|
aws_network_firewall | AWS Network Firewall | technique_scores | T1498.001 | Direct Network Flood |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
References
|
aws_shield | AWS Shield | technique_scores | T1498.001 | Direct Network Flood |
Comments
AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue.
References
|