| ID | Name |
|---|---|
| T1499.001 | OS Exhaustion Flood |
| T1499.002 | Service Exhaustion Flood |
| T1499.003 | Application Exhaustion Flood |
| T1499.004 | Application or System Exploitation |
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.[1]
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.[2] Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0415 | Application Exhaustion Flood Detection Across Platforms | AN1165 |
Repeated invocation of high-resource application endpoints or GUI components causing CPU and memory spikes, logged as elevated request volumes, prolonged handle locks, or frequent crash recoveries. |
| AN1166 |
Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning. |
||
| AN1167 |
Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps. |
||
| AN1168 |
Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch. |