Description
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
Platforms
Sub-Techniques (2)
Mitigations (1)
Filter Network TrafficM1037
When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citati
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | In 2016, [APT28](https://attack.mitre.org/groups/G0007) conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.(... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1107 | NKAbuse | Malware | [NKAbuse](https://attack.mitre.org/software/S1107) enables multiple types of network denial of service capabilities across several protocols post-inst... |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can execute TCP, UDP, and HTTP denial of service (DoS) attacks.(Citation: Unit 42 Lucifer June 202... |
References
- Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.
- FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved September 23, 2024.
- Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved November 17, 2024.
- Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.
Frequently Asked Questions
What is T1498 (Network Denial of Service)?
T1498 is a MITRE ATT&CK technique named 'Network Denial of Service'. It belongs to the Impact tactic(s). Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth se...
How can T1498 be detected?
Detection of T1498 (Network Denial of Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1498?
There are 1 documented mitigations for T1498. Key mitigations include: Filter Network Traffic.
Which threat groups use T1498?
Known threat groups using T1498 include: APT28.