Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.
Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)
ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1499.001 | OS Exhaustion Flood | |
| AC-4 | Information Flow Enforcement | Protects | T1499.001 | OS Exhaustion Flood | |
| CA-7 | Continuous Monitoring | Protects | T1499.001 | OS Exhaustion Flood | |
| CM-6 | Configuration Settings | Protects | T1499.001 | OS Exhaustion Flood | |
| CM-7 | Least Functionality | Protects | T1499.001 | OS Exhaustion Flood | |
| SC-7 | Boundary Protection | Protects | T1499.001 | OS Exhaustion Flood | |
| SI-10 | Information Input Validation | Protects | T1499.001 | OS Exhaustion Flood | |
| SI-15 | Information Output Filtering | Protects | T1499.001 | OS Exhaustion Flood | |
| SI-4 | System Monitoring | Protects | T1499.001 | OS Exhaustion Flood |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
|
| network_security_groups | Network Security Groups | technique_scores | T1499.001 | OS Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1499.001 | OS Exhaustion Flood | |
| azure_ddos_protection_standard | Azure DDOS Protection Standard | technique_scores | T1499.001 | OS Exhaustion Flood | |
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1499.001 | OS Exhaustion Flood |