1. Home
  2. Techniques
  3. Enterprise
  4. Endpoint Denial of Service
  5. OS Exhaustion Flood

Endpoint Denial of Service: OS Exhaustion Flood

ID Name
T1499.001 OS Exhaustion Flood
T1499.002 Service Exhaustion Flood
T1499.003 Application Exhaustion Flood
T1499.004 Application or System Exploitation

Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.

Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.[1] With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.[2]

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.[3]

ID: T1499.001
Sub-technique of:  T1499
Tactic: Impact
Platforms: Linux, Windows, macOS
Impact Type: Availability
CAPEC ID: CAPEC-469, CAPEC-482
Version: 1.1
Created: 20 February 2020
Last Modified: 16 September 2020
Provided by LAYER 8

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.[4] Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow
DS0013 Sensor Health Host Status

Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.[5] Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.

References

  1. Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.
  2. Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.
  3. Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.
  1. Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.
  2. Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.