T1499 Endpoint Denial of Service Mappings

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)

For attacks attempting to saturate the providing network, see Network Denial of Service.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1499 Endpoint Denial of Service
AC-4 Information Flow Enforcement Protects T1499 Endpoint Denial of Service
CA-7 Continuous Monitoring Protects T1499 Endpoint Denial of Service
CM-6 Configuration Settings Protects T1499 Endpoint Denial of Service
CM-7 Least Functionality Protects T1499 Endpoint Denial of Service
SC-7 Boundary Protection Protects T1499 Endpoint Denial of Service
SI-10 Information Input Validation Protects T1499 Endpoint Denial of Service
SI-15 Information Output Filtering Protects T1499 Endpoint Denial of Service
SI-4 System Monitoring Protects T1499 Endpoint Denial of Service
CVE-2019-15956 Cisco Web Security Appliance (WSA) primary_impact T1499 Endpoint Denial of Service
CVE-2020-3306 Cisco Adaptive Security Appliance (ASA) Software primary_impact T1499 Endpoint Denial of Service
CVE-2020-3120 Cisco IOS XR Software primary_impact T1499 Endpoint Denial of Service
CVE-2018-15462 Cisco Firepower Threat Defense Software primary_impact T1499 Endpoint Denial of Service
CVE-2019-1704 Cisco Firepower Threat Defense Software primary_impact T1499 Endpoint Denial of Service
CVE-2018-15772 Dell EMC RecoverPoint primary_impact T1499 Endpoint Denial of Service
CVE-2020-6986 Omron PLC CJ Series primary_impact T1499 Endpoint Denial of Service
CVE-2019-13555 Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial number 21081 and prior, Q04/06/13/26UDPVCPU: serial number 21081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior. MELSEC-L Series L02/06/26CPU, L26CPU-BT: serial number 21101 and prior, L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior, and L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior. primary_impact T1499 Endpoint Denial of Service
CVE-2018-19010 Dräger Infinity Delta primary_impact T1499 Endpoint Denial of Service
CVE-2020-14508 GateManager primary_impact T1499 Endpoint Denial of Service
CVE-2017-7533 Linux kernel through 4.12.4 uncategorized T1499 Endpoint Denial of Service
CVE-2020-11897 n/a uncategorized T1499 Endpoint Denial of Service
CVE-2020-11896 n/a uncategorized T1499 Endpoint Denial of Service
CVE-2014-1776 n/a uncategorized T1499 Endpoint Denial of Service
CVE-2013-3918 n/a uncategorized T1499 Endpoint Denial of Service
CVE-2019-11707 Firefox ESR uncategorized T1499 Endpoint Denial of Service
CVE-2017-14934 n/a uncategorized T1499 Endpoint Denial of Service
CVE-2009-2055 n/a uncategorized T1499 Endpoint Denial of Service
action.hacking.variety.DoS Denial of service related-to T1499 Endpoint Denial of Service
action.hacking.variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML attribute blowup XML attribute blowup. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML entity expansion XML entity expansion. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
aws_config AWS Config technique_scores T1499 Endpoint Denial of Service
aws_shield AWS Shield technique_scores T1499 Endpoint Denial of Service
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1499 Endpoint Denial of Service
aws_network_firewall AWS Network Firewall technique_scores T1499 Endpoint Denial of Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1499.003 Application Exhaustion Flood 16
T1499.004 Application or System Exploitation 108
T1499.001 OS Exhaustion Flood 16
T1499.002 Service Exhaustion Flood 16