Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)
Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1499.002 | Service Exhaustion Flood | |
AC-4 | Information Flow Enforcement | Protects | T1499.002 | Service Exhaustion Flood | |
CA-7 | Continuous Monitoring | Protects | T1499.002 | Service Exhaustion Flood | |
CM-6 | Configuration Settings | Protects | T1499.002 | Service Exhaustion Flood | |
CM-7 | Least Functionality | Protects | T1499.002 | Service Exhaustion Flood | |
SC-7 | Boundary Protection | Protects | T1499.002 | Service Exhaustion Flood | |
SI-10 | Information Input Validation | Protects | T1499.002 | Service Exhaustion Flood | |
SI-15 | Information Output Filtering | Protects | T1499.002 | Service Exhaustion Flood | |
SI-4 | System Monitoring | Protects | T1499.002 | Service Exhaustion Flood |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.DoS | Denial of service | related-to | T1499.002 | Endpoint Denial of Service: Service Exhaustion Flood | |
action.malware.variety.DoS | DoS attack | related-to | T1499.002 | Endpoint Denial of Service: Service Exhaustion Flood |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1499.002 | Service Exhaustion Flood |
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability.
Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
|
aws_shield | AWS Shield | technique_scores | T1499.002 | Service Exhaustion Flood |
Comments
AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques.
References
|
amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1499.002 | Service Exhaustion Flood |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
References
|
aws_network_firewall | AWS Network Firewall | technique_scores | T1499.002 | Service Exhaustion Flood |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it.
References
|