1. Home
  2. Techniques
  3. Mobile
  4. Network Denial of Service

Network Denial of Service

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices.

A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.[1]

Usage of cellular jamming has been documented in several arrests reported in the news.[2][3][4][5]

ID: T1464
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android, iOS
MTC ID: CEL-7, CEL-8, LPN-5, GPS-0
Version: 1.4
Created: 25 October 2017
Last Modified: 19 May 2025
Version Permalink

Procedure Examples

ID Name Description
S1062 S.O.V.A.

S.O.V.A. has C2 commands to add an infected device to a DDoS pool.[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0639 Detection of Network Denial of Service AN1713

Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.
AN1714

Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.

References

  1. Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.
  2. Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.
  3. Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.
  1. Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.
  2. David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.
  3. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.