1. Home
  2. Detection Strategies
  3. Direct Network Flood Detection across IaaS, Linux, Windows, and macOS

Direct Network Flood Detection across IaaS, Linux, Windows, and macOS

Technique Detected:  Direct Network Flood | T1498.001

ID: DET0343
Domains: Enterprise
Analytics: AN0969, AN0970, AN0971, AN0972
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0969

High-volume packet generation by local processes (e.g., PowerShell, cmd, curl.exe) or network service processes resulting in excessive outbound traffic over short time window, correlated with abnormal resource usage or degraded host responsiveness.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
PacketRateThreshold Defines the burst threshold (e.g., 10,000 pps) above which activity should be flagged as anomalous.
TimeWindow Duration over which to aggregate and analyze flow volume.

AN0970

Kernel or userland processes generating high-rate network traffic (ICMP, UDP, TCP SYN) beyond expected interface throughput or user behavior norms.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) auditd:SYSCALL connect or sendto system call with burst pattern
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
SyscallBurstCount Threshold of repeated socket calls within a short interval indicating flood behavior.
UserContext Restrict to non-admin user traffic unless elevated access is detected.

AN0971

Excessive outbound traffic via ping, curl, or custom scripts indicating flooding behavior, especially with no UI context or user interaction.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process created with repeated ICMP or UDP flood behavior
Network Traffic Flow (DC0078) macos:unifiedlog sudden burst in outgoing packets from same PID
Mutable Elements
Field Description
BurstTimeWindow Tunable range (e.g., 15s, 30s) for detecting packet floods.

AN0972

VM or cloud instance generating anomalously high network egress targeting same destination IP or service, especially using stateless protocols.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) AWS:VPCFlowLogs source instance sends large volume of traffic in short window
Host Status (DC0018) CloudWatch:InstanceMetrics NetworkOut spike beyond baseline
Mutable Elements
Field Description
InstanceTrafficThreshold Alert when egress exceeds normal usage by X%.
ProtocolType Prioritize alerts on stateless protocols such as UDP and ICMP.