Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target networks that send a high volume of network traffic to a target. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
References
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting the availability and functionality of networks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
References
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic and using ISP or third-party providers, enables blocking IP addresses and protocols used for transport.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement protects against Direct Network Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement protects against Direct Network Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1498.001 | Direct Network Flood | |
| CM-06 | Configuration Settings | mitigates | T1498.001 | Direct Network Flood | |
| SI-10 | Information Input Validation | mitigates | T1498.001 | Direct Network Flood | |
| SI-15 | Information Output Filtering | mitigates | T1498.001 | Direct Network Flood | |
| CM-07 | Least Functionality | mitigates | T1498.001 | Direct Network Flood | |
| AC-03 | Access Enforcement | mitigates | T1498.001 | Direct Network Flood | |
| AC-04 | Information Flow Enforcement | mitigates | T1498.001 | Direct Network Flood | |
| SC-07 | Boundary Protection | mitigates | T1498.001 | Direct Network Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.DoS | Denial of service | related-to | T1498.001 | Direct Network Flood | |
| action.malware.variety.DoS | DoS attack | related-to | T1498.001 | Direct Network Flood | |
| attribute.availability.variety.Degradation | Performance degradation | related-to | T1498.001 | Direct Network Flood | |
| attribute.availability.variety.Loss | Loss | related-to | T1498.001 | Direct Network Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_ddos_protection | Azure DDoS Protection | technique_scores | T1498.001 | Direct Network Flood |
Comments
This control can protect against network denial of service attacks.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1498.001 | Direct Network Flood |
Comments
This control can protect against network denial of service attacks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1498.001 | Direct Network Flood |
Comments
The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns
References
|
| aws_config | AWS Config | technique_scores | T1498.001 | Direct Network Flood |
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability.
Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1498.001 | Direct Network Flood |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.
References
|
| aws_shield | AWS Shield | technique_scores | T1498.001 | Direct Network Flood |
Comments
AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue.
References
|