T1499.002 Service Exhaustion Flood Mappings

Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1499.002 Service Exhaustion Flood
AC-4 Information Flow Enforcement Protects T1499.002 Service Exhaustion Flood
CA-7 Continuous Monitoring Protects T1499.002 Service Exhaustion Flood
CM-6 Configuration Settings Protects T1499.002 Service Exhaustion Flood
CM-7 Least Functionality Protects T1499.002 Service Exhaustion Flood
SC-7 Boundary Protection Protects T1499.002 Service Exhaustion Flood
SI-10 Information Input Validation Protects T1499.002 Service Exhaustion Flood
SI-15 Information Output Filtering Protects T1499.002 Service Exhaustion Flood
SI-4 System Monitoring Protects T1499.002 Service Exhaustion Flood
CVE-2019-1703 Cisco Firepower Threat Defense Software primary_impact T1499.002 Service Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
aws_config AWS Config technique_scores T1499.002 Service Exhaustion Flood
aws_shield AWS Shield technique_scores T1499.002 Service Exhaustion Flood
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1499.002 Service Exhaustion Flood
aws_network_firewall AWS Network Firewall technique_scores T1499.002 Service Exhaustion Flood