| ID | Name |
|---|---|
| T1499.001 | OS Exhaustion Flood |
| T1499.002 | Service Exhaustion Flood |
| T1499.003 | Application Exhaustion Flood |
| T1499.004 | Application or System Exploitation |
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [1] Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer |
Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.[3] Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
| Network Traffic Flow | ||
| DS0013 | Sensor Health | Host Status |
Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.