Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target application features. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
References
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to exploit software vulnerabilities that can cause an application or system to crash. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement protects against Application Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement protects against Application Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1499.003 | Application Exhaustion Flood | |
| CM-06 | Configuration Settings | mitigates | T1499.003 | Application Exhaustion Flood | |
| SI-10 | Information Input Validation | mitigates | T1499.003 | Application Exhaustion Flood | |
| SI-15 | Information Output Filtering | mitigates | T1499.003 | Application Exhaustion Flood | |
| CM-07 | Least Functionality | mitigates | T1499.003 | Application Exhaustion Flood | |
| SI-04 | System Monitoring | mitigates | T1499.003 | Application Exhaustion Flood | |
| AC-03 | Access Enforcement | mitigates | T1499.003 | Application Exhaustion Flood | |
| AC-04 | Information Flow Enforcement | mitigates | T1499.003 | Application Exhaustion Flood | |
| SC-07 | Boundary Protection | mitigates | T1499.003 | Application Exhaustion Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.vector.Partner | Partner connection or credential. (Indicates supply chain breach.) | related-to | T1499.003 | Application Exhaustion Flood | |
| action.social.vector.Software | Software | related-to | T1499.003 | Application Exhaustion Flood | |
| action.hacking.variety.DoS | Denial of service | related-to | T1499.003 | Application Exhaustion Flood | |
| action.malware.variety.DoS | DoS attack | related-to | T1499.003 | Application Exhaustion Flood | |
| attribute.availability.variety.Degradation | Performance degradation | related-to | T1499.003 | Application Exhaustion Flood | |
| attribute.availability.variety.Loss | Loss | related-to | T1499.003 | Application Exhaustion Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_ddos_protection | Azure DDoS Protection | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
Often used by adversaries to affect availability and deprive legitimate user access, Palo Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks that attempt to crash a target system by flooding it with application traffic.
This technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
References
|
| aws_config | AWS Config | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability.
Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it.
References
|
| aws_shield | AWS Shield | technique_scores | T1499.003 | Application Exhaustion Flood |
Comments
AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.
References
|