attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json

{
    "external_references": [
        {
            "source_name": "mitre-attack",
            "external_id": "T1498.001",
            "url": "https://attack.mitre.org/techniques/T1498/001"
        },
        {
            "external_id": "CAPEC-125",
            "source_name": "capec",
            "url": "https://capec.mitre.org/data/definitions/125.html"
        },
        {
            "external_id": "CAPEC-486",
            "source_name": "capec",
            "url": "https://capec.mitre.org/data/definitions/486.html"
        },
        {
            "source_name": "USNYAG IranianBotnet March 2016",
            "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged",
            "description": "Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019."
        },
        {
            "source_name": "Cisco DoSdetectNetflow",
            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
            "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019."
        }
    ],
    "created_by_ref": "The MITRE Corporation",
    "name": "Direct Network Flood",
    "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)",
    "id": "attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3",
    "type": "attack-pattern",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "impact"
        }
    ],
    "modified": "2020-09-16T15:57:12.410Z",
    "created": "2020-03-02T20:07:18.651Z",
    "x_mitre_data_sources": [
        "Sensor health and status",
        "Network protocol analysis",
        "Netflow/Enclave netflow",
        "Network intrusion detection system",
        "Network device logs"
    ],
    "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
    "x_mitre_version": "1.1",
    "x_mitre_is_subtechnique": true,
    "x_mitre_impact_type": [
        "Availability"
    ],
    "x_mitre_platforms": [
        "Linux",
        "macOS",
        "Windows",
        "AWS",
        "GCP",
        "Azure AD",
        "SaaS",
        "Azure",
        "Office 365"
    ]
}