T1499.003 Application Exhaustion Flood Mappings

Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1499.003 Application Exhaustion Flood
AC-4 Information Flow Enforcement Protects T1499.003 Application Exhaustion Flood
CA-7 Continuous Monitoring Protects T1499.003 Application Exhaustion Flood
CM-6 Configuration Settings Protects T1499.003 Application Exhaustion Flood
CM-7 Least Functionality Protects T1499.003 Application Exhaustion Flood
SC-7 Boundary Protection Protects T1499.003 Application Exhaustion Flood
SI-10 Information Input Validation Protects T1499.003 Application Exhaustion Flood
SI-15 Information Output Filtering Protects T1499.003 Application Exhaustion Flood
SI-4 System Monitoring Protects T1499.003 Application Exhaustion Flood
CVE-2017-16115 timespan node module uncategorized T1499.003 Application Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
aws_config AWS Config technique_scores T1499.003 Application Exhaustion Flood
Comments
The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability. Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
References
    aws_shield AWS Shield technique_scores T1499.003 Application Exhaustion Flood
    Comments
    AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.
    References
      amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1499.003 Application Exhaustion Flood
      Comments
      VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
      References
        aws_network_firewall AWS Network Firewall technique_scores T1499.003 Application Exhaustion Flood
        Comments
        AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it.
        References