Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)
ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring by adversaries that target endpoint's operating system (OS). Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement protects against OS Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement protects against OS Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1499.001 | OS Exhaustion Flood | |
| CM-06 | Configuration Settings | mitigates | T1499.001 | OS Exhaustion Flood | |
| SI-10 | Information Input Validation | mitigates | T1499.001 | OS Exhaustion Flood | |
| SI-15 | Information Output Filtering | mitigates | T1499.001 | OS Exhaustion Flood | |
| CM-07 | Least Functionality | mitigates | T1499.001 | OS Exhaustion Flood | |
| SI-04 | System Monitoring | mitigates | T1499.001 | OS Exhaustion Flood | |
| AC-03 | Access Enforcement | mitigates | T1499.001 | OS Exhaustion Flood | |
| AC-04 | Information Flow Enforcement | mitigates | T1499.001 | OS Exhaustion Flood | |
| SC-07 | Boundary Protection | mitigates | T1499.001 | OS Exhaustion Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.DoS | Denial of service | related-to | T1499.001 | OS Exhaustion Flood | |
| action.malware.variety.DoS | DoS attack | related-to | T1499.001 | OS Exhaustion Flood | |
| attribute.availability.variety.Degradation | Performance degradation | related-to | T1499.001 | OS Exhaustion Flood | |
| attribute.availability.variety.Loss | Loss | related-to | T1499.001 | OS Exhaustion Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
|
| azure_ddos_protection | Azure DDoS Protection | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
References
|
| aws_config | AWS Config | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability.
Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it.
References
|
| aws_shield | AWS Shield | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques.
References
|