T1499.002 Service Exhaustion Flood

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-01.02 Network traffic volume monitoring Mitigates T1499.002 Service Exhaustion Flood
Comments
This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring from adversaries that target DNS and web services. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
References
    PR.IR-04.02 Availability and capacity management Mitigates T1499.002 Service Exhaustion Flood
    Comments
    This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
    References
      PR.IR-01.03 Network communications integrity and availability Mitigates T1499.002 Service Exhaustion Flood
      Comments
      This diagnostic statement protects against Service Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
      References
        PR.PS-01.08 End-user device protection Mitigates T1499.002 Service Exhaustion Flood
        Comments
        This diagnostic statement protects against Service Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CA-07 Continuous Monitoring mitigates T1499.002 Service Exhaustion Flood
          CM-06 Configuration Settings mitigates T1499.002 Service Exhaustion Flood
          SI-10 Information Input Validation mitigates T1499.002 Service Exhaustion Flood
          SI-15 Information Output Filtering mitigates T1499.002 Service Exhaustion Flood
          CM-07 Least Functionality mitigates T1499.002 Service Exhaustion Flood
          SI-04 System Monitoring mitigates T1499.002 Service Exhaustion Flood
          AC-03 Access Enforcement mitigates T1499.002 Service Exhaustion Flood
          AC-04 Information Flow Enforcement mitigates T1499.002 Service Exhaustion Flood
          SC-07 Boundary Protection mitigates T1499.002 Service Exhaustion Flood

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1499.002 Service Exhaustion Flood
          action.social.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1499.002 Service Exhaustion Flood
          action.hacking.variety.DoS Denial of service related-to T1499.002 Service Exhaustion Flood
          action.malware.variety.DoS DoS attack related-to T1499.002 Service Exhaustion Flood
          attribute.availability.variety.Degradation Performance degradation related-to T1499.002 Service Exhaustion Flood
          attribute.availability.variety.Loss Loss related-to T1499.002 Service Exhaustion Flood

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          azure_ddos_protection Azure DDoS Protection technique_scores T1499.002 Service Exhaustion Flood
          Comments
          This control can protect against endpoint denial of service attacks.
          References
          azure_network_security_groups Azure Network Security Groups technique_scores T1499.002 Service Exhaustion Flood
          Comments
          This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
          References
          azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1499.002 Service Exhaustion Flood
          Comments
          This control can detect endpoint denial of service attacks.
          References
          azure_private_link Azure Private Link technique_scores T1499.002 Service Exhaustion Flood
          Comments
          This control can protect against endpoint denial of service attacks.
          References

          AWS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1499.002 Service Exhaustion Flood
          Comments
          VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
          References
            aws_config AWS Config technique_scores T1499.002 Service Exhaustion Flood
            Comments
            The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability. Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
            References
              aws_network_firewall AWS Network Firewall technique_scores T1499.002 Service Exhaustion Flood
              Comments
              AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it.
              References
                aws_shield AWS Shield technique_scores T1499.002 Service Exhaustion Flood
                Comments
                AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques.
                References