T1498.001 Direct Network Flood Mappings

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Direct Network Flood are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1498.001 Direct Network Flood
AC-4 Information Flow Enforcement Protects T1498.001 Direct Network Flood
CA-7 Continuous Monitoring Protects T1498.001 Direct Network Flood
CM-6 Configuration Settings Protects T1498.001 Direct Network Flood
CM-7 Least Functionality Protects T1498.001 Direct Network Flood
SC-7 Boundary Protection Protects T1498.001 Direct Network Flood
SI-10 Information Input Validation Protects T1498.001 Direct Network Flood
SI-15 Information Output Filtering Protects T1498.001 Direct Network Flood
action.hacking.variety.DoS Denial of service related-to T1498.001 Network Denial of Service: Direct Network Flood
action.malware.variety.DoS DoS attack related-to T1498.001 Network Denial of Service: Direct Network Flood
aws_config AWS Config technique_scores T1498.001 Direct Network Flood
amazon_guardduty Amazon GuardDuty technique_scores T1498.001 Direct Network Flood
aws_shield AWS Shield technique_scores T1498.001 Direct Network Flood
aws_network_firewall AWS Network Firewall technique_scores T1498.001 Direct Network Flood